How to Detect Malware and Keyloggers on macOS
Even if you suspect your Mac is infected, it can be very difficult to be 100% sure. One effective way to detect malware is to analyze process behavior, such as monitoring for keyboard input interception or programs that launch at every system startup. With the free tools ReiKey and KnockKnock, you can uncover keyloggers and other suspicious applications that try to hide and persist on your system.
How Malware and Keyloggers Get on macOS
There are many ways keyloggers or other types of malware can infiltrate a Mac. This could happen through an infected file, a hacker using a USB Rubber Ducky device, or, more commonly, a jealous partner or overprotective family member trying to track your activity.
Malware on macOS
Patrick Wardle, a former NSA hacker, researches Apple device malware and has created several tools to improve macOS security. On his website, https://objective-see.com/, Patrick shares real macOS malware samples for other researchers to study. Some malware found in the wild is truly shocking. A simple search for keyloggers reveals at least five different types specifically designed for macOS.
Figure 1: List of keyloggers created for macOS
How to Protect Against macOS Malware
With so many types of malware, how can you protect yourself? Patrick recommends analyzing the behavior of malicious programs rather than relying solely on signature-based detection. For example, a keylogger connects to the keyboard event stream, allowing an attacker to intercept every keystroke, compromise accounts, and monitor communications. To remain persistent, malware must launch immediately after user login, so the victim only needs to open the malicious file once.
Detecting New Types of Malware with ReiKey and KnockKnock
ReiKey searches for keyloggers by looking for programs connected to the keyboard event stream. This method helps you find all keyboard spies installed on your system, not just those in antivirus signature databases.
Since keyloggers are persistent, you can also use the free tool KnockKnock to detect them. KnockKnock categorizes all persistent programs into understandable groups, including those commonly used by malware: browser extensions, launch items (like daemons and agents), kernel modules, and plugins.
Figure 2: Categorization of persistent programs in KnockKnock
After scanning your system, KnockKnock checks all persistent programs against the VirusTotal service.
Figure 3: Detailed information about the Adblock Plus extension
If malware is hiding on your system, you can view details by clicking the “Info” icon. If VirusTotal flags any files as suspicious, your system is likely compromised with malware, adware, or other unwanted software.
The video below demonstrates testing a macOS system with these tools.
What You’ll Need
- A Mac with all updates installed
- Internet connection
- A browser to download KnockKnock and ReiKey
Step 1: Download the Tools from Objective-See.com
Go to the ReiKey app page and click the Download link under the icon in the top left corner.
Figure 4: ReiKey app section
Download and extract the installer. Double-click “ReiKey Installer.app” to launch the installer.
Step 2: Install ReiKey
After launching the installer, click “Install” to begin.
Figure 5: ReiKey installer interface
Once installation is complete, click “Next” to close the installer. You should now see an icon in the menu bar for accessing ReiKey settings.
Figure 6: Installation complete
Click the ReiKey icon in the menu bar and go to “Preferences” to configure options such as launching at login, showing the status bar icon, and ignoring Apple apps.
Figure 7: ReiKey preferences section
When I launched a Python-based keylogger, I received the following warning on my device:
Figure 8: Notification about new keyboard event stream access
Step 3: Scan for Keyboard Spies
After installing and configuring ReiKey, you’re ready to scan your system. Click the status bar icon again and start a scan. After a short while, a window will display the results, showing any programs with access to the keyboard event stream.
Figure 9: Scan results
In the example above, nothing was found. If the list isn’t empty, it means there are apps intercepting every keystroke.
Step 4: Install KnockKnock
Go to the KnockKnock app page and click the Download link under the icon in the top left corner.
Figure 10: KnockKnock app section
After downloading, you can run KnockKnock immediately without installation.
Step 5: Scan Your System
Click “KnockKnock.app” to open the program. Then click the arrow icon to start scanning. On the latest macOS versions (like Catalina), you’ll need to grant the app access to various folders and programs.
Figure 11: KnockKnock interface
After scanning, you’ll see a list of persistent programs, many of which are harmless. Carefully review each one. If you find browser extensions you didn’t install, it’s best to remove them.
Figure 12: List of found browser extensions
You may also find apps with suspicious characteristics, such as an unsigned script set to run persistently, indicated by an open lock icon.
Figure 13: Example of a suspicious unsigned script
Click the “Info” icon for more details.
Step 6: Check Suspicious Files
To learn more about a file, check the VirusTotal information, which shows the detection rate and a link to a detailed report. To rescan a file, click “rescan” to send it to VirusTotal again.
Figure 14: VirusTotal file information
Rescanning gives you access to a detailed report, such as for the previously detected unsigned “Tor” app.
Figure 15: Detailed report on the Tor app
At first glance, the file may not look malicious, but if it were, now you know how to find out for sure.
Conclusion
Detecting malware can be challenging for the average macOS user, but with ReiKey and KnockKnock, you can quickly find suspicious apps—even right after installation. If you suspect a partner has installed a keylogger, a coworker is spying on your activity, or unwanted adware is hogging memory, these tools will help.
Be sure to check out other free tools at objective-see.com.
We hope this guide to using ReiKey and KnockKnock for detecting malware on macOS was helpful!