How To Detect A Hacker On Mac

This post may contain affiliate links. As an Amazon Associate I earn from qualifying purchases made on our website. If you make a purchase through links from this website, I may earn a commission at no additional cost to you. Read my full disclosure.

You turn on your MacBook and feel that something is wrong: some files have disappeared, or new files were added. You wonder if someone has been watching your computer.

Mar 09, 2015 Original title: Detecting system hacking. How can you detect if there is a hacker accessing your PC activity! I know there are many different ways to hack someones system such as key loggers, Monitoring software that sometimes parents use for kids, Administrative User accounts that are placed on your system before you get it, and various other ways.

So, how to tell if someone is remotely accessing your MacBook? You need to check your logs, verify that no new users were created, make sure that remote login, screen sharing and remote management are disabled, and no spyware is running on your computer.

First things first. If you suspect that someone is controlling your laptop and if there is a chance that they watching you thru the webcam immediately apply a cover on laptop’s webcam. You can find my favorite webcam covers here.

What is remote access and how is it configured on MacBooks?

There are three ways to access MacOS remotely: allow remote logins from another computer, enable Screen Sharing or allow access by using Remote Desktop. Both ways are legitimate, but if you don’t remember doing any of them you need to know how to turn on and off those possibilities.

Remote login to MacOS

Computers that run MacOS as an operating system can log in to your Mac using Secure Shell (SSH). Steps to enable remote login are the following:

Go to System Preferences. You can get there by clicking on the apple icon on the left of the top bar. After you clicked on apple icon you will see a drop-down menu where you should click on System Preferences menu item.
Find Sharing folder and double click. Click on Remote Login checkbox on the left.
Now you have the option to allow access either for all user or only specific users.

Once Remote Login is enabled then users with access can use SSH to log in and browse your computer’s contents.

Access to Mac screen using Screen Sharing

If you need help from IT to make changes on your MacBook or maybe you are collaborating on a project and want to share your screen you can enable Screen Sharing. Steps to enable as follows:

Go to System Preferences.
Find Sharing folder and double click. Click on Screen Sharing checkbox on the left.
Allow access either for all user or only specific users.

Now on another Mac (from which you want to access to your Mac) start Screen Sharing app. You can start it by clicking Command and Space buttons. In a popup form type Sharing and hit Enter. Type your computer name. In my case, I had to type in “dev-pros-MacBook-Pro.local”.

A new window will pop up with the shared screen of another computer. Now you can control the screen.

Remote Desktop with Remote Management

Finally, it is possible to login to a computer with MacOS by enabling Remote Desktop. Steps to enable as follows:

Go to System Preferences.
Find Sharing folder and double click. Click on Remote Management check box on the left.
Allow access either for all user or only specific users.
There will be different Sharing options where you can fine-tune the type of access to allow: observe, change settings, delete, copy and even restart the computer.

Now you can access this Mac from Apple Remote Desktop – it’s an application you can buy from Apple Store and at the time of writing it’s cost was $79.99.

If your Mac is being monitored, it will show this image (two rectangles) in the top right-hand corner near your computer time:

When that symbol appears, you will be able to tell if you are being monitored. You can also disconnect the viewer by clicking on Disconnect option:

You can also click on “Open Sharing Preferences…” which will open Sharing folder in System Preferences.

Since the question you had was if someone remotely accessing your computer then the chances are that you don’t need any of sharing capabilities mentioned above.

How To Detect A Hacker On Mac Windows 10

In this case, check all options on Sharing folder under System Preferences to make sure that nobody is allowed to access it and turn off (uncheck) all options.

Verify if new users were created

As we’ve seen already remote login or sharing options require assigning access roles to the local users. If your system was hacked it is very likely that the hacker has added a new user to access it. To find out all users in MacOS perform the following steps:

Start Terminal app by either going to Applications and then Utilities folder or clicking Command and Space and typing Terminal in the popup window.
In the Terminal window type:

On my laptop it listed dev1, nobody, root and daemon.

If you see the accounts, you do not recognize then they probably have been created by a hacker.

In order to find when the user account was used to log in last time type the following command into the Terminal:
last

For each account, MacOS will list the times and dates of logins. If the login to any of the accounts happened at an abnormal time, it is possible that a hacker used a legitimate account to log in.

Check the logs

It may be useful to check the system logs for any possible access issues.

In order to find a system log, click on Go option in the top menu or simultaneously click Shift, Command and G. In the “Go to Folder” popup type: /var/log and hit Enter.

Now find system.log file and scan for word sharing. For instance, I found following screen sharing log entries:

These were log entries when someone logged in to my system remotely:

Check for spyware

If you are still suspecting that spyware is running on your machine you can use a third party application like Little Snitch which monitors applications, preventing or permitting them to connect to attached networks through advanced rules. Setting up the rules for Little Snitch, however, could be complicated.

One of the common spyware applications is a keystroke logger or keylogger. Keyloggers used to be apps that record the letters you type on the keyboard, but they significantly in last years. Suffice to day that keyloggers can take screenshots every 30 seconds or even track your chat activity, including the messages sent to you.

I believe that keyloggers are much greater security threat because they are easier to install and the powerful features they offer. Check my article about keyloggers here: How to know if my Mac has a keylogger

Security Best Practices

How To Detect A Hacker On Mac Laptop

1.Change passwords regularly
One thing you should immediately if you are suspecting that someone is logging to your system is to change your password. And the password should be complex enough so that other people wouldn’t be able to guess it. This means avoiding using things like birthdate, first or last name or relatives, house or apartment number, etc. As a rule of thumb the password must be long enough (8 – 32 characters) and include at least 3 of the following character types:

Uppercase letter (A-Z)
Lowercase letter (a-z)
Digit number (0-9)
Special characters such as ~!@#$%^&*

2.Enable Security Updates by clicking on “Automatically keep my Mac up to date” in Software Update folder in System Preferences.

3. Install Antivirus. I received a lot of emails where people described suspicious activity on their Macs. I found that in about 60-70% cases, the culprit was malwareand not someone breaking into the computer. It’s a myth that Macs don’t get viruses. If you need proof check the next article I wrote after testing 12 antivirus programs after injecting 117 malware samples on my Mac:

Last Updated on

Every month or so I get scam messages demanding payments in Bitcoins for the images of me they allegedly took using my webcam. They claim that they use keyloggers to control my computer.

So, how to know if your Mac has a keyLogger? There are two types of keyloggers: hardware and software. Examine external USB devices connected to the Mac for hardware keyloggers. Use Activity Monitor to look for unknown processes when checking for software keylogger. Check Privacy options in System Preferences for applications with too much privileges. Install tools such as Malwarebytes and MacScan and scan computer.

How do Keyloggers Work

Keylogger or keystroke logger is a spyware application that runs invisibly for users and logs (saves on the local disk or sends to the cloud) every key that users press on the computer.

Usually, keyloggers are used by hackers to collect your credit card information you enter on various web sites. They also collect your usernames and passwords, so they can steal money from your bank accounts.

The goal of a keylogger is not to collect information for as long as possible, that’s why you may never know that it was installed.

It does not suddenly slow down your computer (unless it is sending information over the internet), it does not pop up scary messages in Safari or Chrome, it does not redirect your browser to wrong web sites. It just quietly hides on your computer and gathers your data in order to use it later.

How keyloggers get installed

Typically, they get installed as part of free software you download from the Internet. The free software may contain a keylogger code inside of it so the former installs the latter on the computer.

Once installed the keyloggers starts collecting information and sends it to storage in the cloud where the hacker can access it. Keyloggers can also be installed as browser extensions.

Hardware keyloggers

There are two types of keyloggers: hardware and software. While hardware keyloggers apply mostly to desktops they are impossible to detect with the software. The hardware keylogger is usually attached to the computer and a keyboard is attached to the device.

Every time you press a key on the keyboard the device records it in its local storage and then passes the key information to the computer. If you want, you can buy a hardware keylogger on Amazon.

How To Detect A Hacker On Mac Computer

Software-based keystroke loggers are much more powerful because they run on the computer itself and they have access to the entire computer, not just a keyboard.

Is Keylogger Malware?

A keylogger can be either malware, like rootkit, or legitimate software installed on your computer. Commercial applications that log the keyboard input on the computer can be installed by parents who want to monitor which sites their children are visiting on the Internet. Or the company may want to track employee activities.

Believe it or not, you can easily download and install a keylogger on your own Mac. Most popular keyloggers for Mac OS are:

Perfect Keylogger for Mac

Besides recording key presses these tools are capable of capturing screenshots, data in the clipboard, keep web browsing history.

In case of chat applications such as Skype, Viber or iMessage they can log messages from both sides: anything typed on your computer and incoming chat messages.

Some keyloggers are equipped with geolocation features. If the MacBook was stolen, they can be used to track it down because they will secretly send keystrokes and screenshots to the cloud. Keyloggers can also control your webcam and record videos or you can watch live from another computer.

You decide if it is ethical or legal to spy after children, spouse or employees. The goal of this article is to educate people about possibilities and describe ways to protect yourself from spying.

How to Install a Keylogger on Mac

To test how MacScan and Malwarebytes are capable of finding keyloggers I decided to install all four keyloggers on my Mac.

IMPORTANT: I don’t endorse any keylogger here. Moreover, if you want to avoid getting malware on your Mac, do not download software from anywhere except Apple App Store. Personally, I do not trust any of the above-mentioned keyloggers, so before installing them on my MacBook I did the following:

Took a backup of my drive
Reset MacBook to factory settings
Installed and tested keyloggers so I can report my findings here
Restored everything from the backup.

There is something fundamentally sleazy about spying after other people. No wonder that installing a keylogger reminded me of installing apps with potential viruses in it.

Elite Keylogger sent me to a jumpshare url, it didn’t let me download from their site. The problem I had with installing Elite is that its installer did not want to close, so I had to force shutdown my Mac. Check here if you want to know more about potential issues with force shutdowns.

The Perfect Keylogger sent me two emails: one with the link from which I could download an encrypted zip file and another with the password for the zip file. Google immediately flagged both messages as dangerous spam.

Spyrix and Aobo didn’t have such problems and Refog looked like a legit app with a proper installer. The interesting thing is that I was able to install all 5 of them at the same time and all four of them were recording keystrokes.

Does Malwarebytes or MacScan detect keyloggers?

Once I installed Malwarebytes it immediately recognized Elite keylogger as malware and put into quarantine. It was also able to detect Aobo and Refog. Unfortunately, it didn’t find anything wrong with Perfect Keylogger and Spyrix.

MacScan was more successful: it found 4 out of 5 apps, but it still missed Perfect Keylogger.

Conclusion: If you want to install a keylogger on your Mac go with Perfect one from Blazing tools. It didn’t get detected by either Malwarebytes or MacScan.

But again, do it at your own risk. If you ask my opinion, I would never install such an application on the computer where I entered my credit card information or password to my bank accounts.

On the other hand, I was disappointed with Malwarebytes and MacScan missing some apps. This experiment does not give me high confidence in malware protection tools.

So, what would I recommend you do if you believe that there is a keylogger app on your MacBook? Reset and reinstall your MacOS and immediately change all passwords for all web sites you were using.

Keylogger myths

Some people suggest a couple of workarounds that in their opinion can trick keyloggers. One of them is to use software-based keyboards. You can start such a keyboard by going to System Preferences and clicking on the “Keyboard” icon.

In “Input Sources” tab click on “Show input menu in menu bar”. Once you do it you can see a keyboard icon in the top bar near the battery icon. If you click on that icon and select “Show Keyboard Viewer” it will bring a software keyboard which you can use to type information and which supposedly will not be tracked by a keylogger.

Another workaround is to type a part of the password or the credit card number in the browser, then bring up a text editor, type a garbage text in it, switch back to the browser and type the second part of the secret password.

These workarounds possibly worked a long time ago when malware was not sophisticated, but now when they can take screenshots and have some intelligent software, I would not rely on the workarounds anymore.

How to Detect Keylogger on Mac with Activity Monitor

Some people suggest checking for malware in Activity Monitor. The typical suggestion is to bring up the Activity Monitor and find the application that looks suspicious or you do not recognize.

This advice may work for someone who knows all applications running on Mac, but for an average user, all applications running on Mac are unfamiliar.

I am not claiming this is impossible however. For instance, Spyrix Keylogger appear in Activity Monitor as skm, and Perfect Keylogger as DashboardClient.

What to do when getting a scam email?

As said in the beginning everyone is getting emails which state that they set up malware on the certain web sites and “your browser began working as a RDP that has a key logger which provided me access to your display as well as cam”. It continues with a threat to send embarrassing information to your friends unless “you will make the payment via Bitcoin”.

Normally, these emails end up in a Spam folder, but if you are using an email other than Gmail chances are that they will appear in your Inbox. So, what should you do in this case? The answer is to Delete the email. This is called extortion

The hackers send such emails to millions of people with the hope that someone will be scared and will pay a ransom. They do not install keyloggers, it is cheaper to scare people by sending emails then target specific people.

How to Detect Commercial Keyloggers on Mac?

If you suspect that someone you know (your employer, spouse, parent, friend or enemy) is spying after you chances are that they installed one of the commercial keyloggers.

There is very little chance that they were able to find a malware soft built by hackers to infect your system because the malware will be sending your information to the hacker, not your personal enemy.

If you are looking to find if commercial keyloggers have been installed on your Mac, there are three ways to find: using Activity Monitor, checking default key combinations and checking the list of application with Full Disk Access.

Using Activity Monitor

Activity Monitor is still a good way to quickly find applications as long as you know their names:

Perfect Keylogger appears as DashboardClient in the monitor
Spyrix as skm
Look for ‘coreservicesd’ to find Aobo
Check for ‘Elite Keylogger’ when searching Elite Keylogger. However, the version I installed was free and it did not hide, so I don’t know how the process name will change for someone who buys a product.
And finally, ‘Refog’ appears as ‘syslogd’

Using default key combinations

All keyloggers have secret key combinations which will bring them from the place they are hiding to the screen. After all, if you can get to the data collected by a keylogger it is pretty much useless.

Default key combinations for keyloggers are:

But, what if whoever was installing the spyware was smart enough to change the default key combination. Then you won’t be able to find keyloggers by a key combination.

Check which applications have Full Disk Access

In order to do their job, most keyloggers must have full access to the disk or accessibility option.

Go to System Preferences -> Security and Privacy, click on the Privacy tab and check two sections: Accessibility and Full Disk Access.

Here how it may look like on your Mac if the app was installed:

How to Detect Malware Keystroke Loggers on Mac?

If you think that your Mac was infected by a keylogger when you’ve been browsing the internet or opened an email then steps above will not help because hackers do not use commercial keyloggers as malware.

How To Detect A Hacker On Mac Pc

You can still try to open the Activity Monitor, go over each process in it and search Google for the process name. This way, you can at least eliminate the good applications from the keyloggers (note, however, a good process can still be infected with a malware which installs a keylogger on Mac).

For instance, if you don’t know what “cloudd” process is on Mac then Google following:
cloudd mac

The first response will say something like “This process is part of macOS and is related to iCloud”. So now you can move to the next process in the list.

Another option is to install Malwarebytes, MacScan, Intego Mac Internet Security or another antivirus and antimalware application. Some people suggested ReiKey for keystroke logger detection, but last time I checked the code was not updated for more than 8 months, which means is not being actively maintained.

And finally, the best way to get rid off a malware is remove the macOS and reinstall everything from scratch.

Other resources:

If you still feel that you are being watched then:

buy a webcam cover: recommended webcam covers for MacBooks
check my other article:How to Tell if Someone is Remotely Accessing Your Mac

Topics:

Image Credit: Flikr