Threat Descriptions

Monitor:OSX/Realtimespy

Classification

Category :

Spyware

Type :

Monitoring-tool

Platform :

OSX

Aliases :

Monitor:OSX/Realtimespy.[variant]!Online

Summary

Monitor:OSX/Realtimespy is a program that can be remotely installed on a device. Once installed, the program tracks activities that take place on the monitored device and logs details of the activities onto a remote site where it can be viewed by the program's administrator.

Removal

Based on the settings of your F-Secure security product, it may block the file from running, move it to the quarantine where it cannot spread or cause harm, or ask you to select an action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The Monitor:OSX/Realtimespy is a monitoring-tool program available for sale online. Its website states that the program is intended for use by parents or businesses to monitor activity on computers under their legitimate administration.

Distribution/arrival

As of November 2018, a small spam email campaign has been observed distributing the Realtimespy monitoring-tool to unsuspecting users.

The campaign uses email messages that are deliberately crafted to target Mac users that use the Exodus cryptocurrency wallet. To make it appear as though the email is authentic, it uses the title "Update 1.64.1 Release - New Assets and more"; the file attached to the email is named "Exodus-MacOS-1.64.1-update.zip".

Installation

If the file attached to the spam email is launched, it will install the monitoring-tool onto the computer.

Actions

Once installed, the monitoring-tool can perform a variety of actions that may compromise the user's security and/or privacy, including:

  • Logging all keystrokes typed
  • Logging websites visited
  • Logging web searches made
  • Logging programs used
  • Logging emails or messages sent
  • Taking screenshots
  • Transmitting logs to a remote site

The logs of all tracked activities are made available for review by the program's administrator on an associated website.

More information

For more technical details of the spam campaign and the monitoring-tool, see: