Snake Malware, Lockdown Mode, and Apple App Subscriptions – Intego Mac Podcast Episode 291
Posted on
by
Kirk McElhearn
The FBI has shut down servers for Snake malware, which we wrote about back in 2017. Apple’s lockdown mode has been found to prevent some serious malware attacks. And Apple is testing the water with app subscriptions for two of its pro apps on the iPad.
- Snake Malware Ported from Windows to Mac (Intego 2017 article)
- U.S. and Allies Identify and Expose Russian Intelligence-Gathering “Snake” Malware
- Hunting Russian Intelligence “Snake” Malware
- Apple’s high security mode blocked NSO spyware, researchers say
- QuaDream spyware hacked iPhone victims with rogue calendar invites
- Apple’s Safari Again Overtakes Microsoft Edge as Second Most Popular Desktop Browser
- Selling an older iPhone SE for $199 in emerging markets would be a smart move
- Apple brings Final Cut Pro and Logic Pro to iPad
Transcript of Intego Mac Podcast episode 291
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, May 11 2023.
This week’s Intego Mac Podcast security headlines include: an update on the iPhone’s Lockdown Mode. It works. Apple’s Safari desktop browser moves up on the most-used browser list. And as a result becomes a bigger target for hackers. A lower priced iPhone SE may become available but it may not be worth the discount. And Final Cut Pro and Logic Pro are both coming to the iPad, along with a new subscription pricing model. What may app subscription pricing mean for Apple software going forward? Now, here are the hosts of the Intego Mac podcast, veteran Mac journalist, Kirk McElhearn and Intego’s. Chief Security Analyst, Josh Long.
Kirk McElhearn 0:54
Good morning, Josh, how are you today?
Josh Long 0:56
I’m doing well. How are you? Kirk?
What is Snake malware?
Kirk McElhearn 0:58
I’m doing pretty well. I was talking to someone about a really classic movie the other day, “Snakes on a Plane”. Remember that one with Samuel L Jackson. And it’s kind of interesting, because in a recent episode of “Succession”, I’m not giving any spoilers but there are a bunch of people on a plane going to negotiate a deal. And one of the characters said, “We’re snakes on a plane, aren’t we?” And I was just reminded of this today because we are going to talk about snakes. Tell us about Snakes, Josh.
Josh Long 1:24
So there’s some malware that’s been around for a long time. It’s often called “Snake” sometimes it’s called “Turla”, or there are a whole bunch of different names that that it’s had. Snake is how we’ll refer to it. The US Cyber Command put out a tweet linking to an article. You can find this on cybercom.mil. We’ll have of course, all the links in the show notes. The whole idea is that there’s this Russian intelligence operation that has been around for a long time. In fact, we wrote about the first Mac variants of this way back in 2017. We had an article on the Intego Mac security blog called “Snake Malware Ported from Windows to Mac.”
Kirk McElhearn 2:07
And Snake malware was installed on Macs when people launched one of those fake Adobe Flash Player updaters, which we used to see all the time back in the day.
Josh Long 2:15
That’s right. And so there are a couple of samples of this malware from back then 2016, 2017. And there haven’t been a lot of samples at least identified more recently than that on the Mac specifically. Now of course, this is multi-platform malware. And what’s kind of interesting is US Cyber Command talks about the FBI’s involvement and how they developed this software called Perseus. Our producer Doug pointed out that it’s kind of interesting this software that the FBI developed called Perseus is designed to take down snakes and you know Perseus slew the Gorgon which had snake hair, right. So obviously, they have some clever people who are interested in mythology working for the FBI. But the whole idea behind this is that they were able to take down this Snake malware they were they wrote software that would identify that a system had Snake on it, and then issue it commands to kill the malware to like force itself to remove itself from that system, or neutralize itself rather. And so that it’s kind of interesting, because you know, just like how you slay the Gorgon by you know, using a mirror or whatever that kind of a thing. So it killed itself.
Kirk McElhearn 3:35
They had the malware commit suicide. (Yeah, yeah.) It’s a bit sad, but I guess all malware in the end has to be eradicated suffer. (And the fact that this is Russian malware.) Yeah. Okay, this is Russian malware. So it’s evil stuff. But all malware has to be removed. In the end. I’m going to link to an article from CISA the US cyber security and infrastructure security agency called “Hunting Russian Intelligence, Snake Malware”, it reads like a thriller. It’s a fascinating story.
Josh Long 4:04
Although this has been on Mac at least as far as we know. Right now, there haven’t been a lot of recent Snake malware variants on the Mac. But this is something that researchers are already starting to look into to dig around a little bit and see if we can find. Were there ever any other evolutions of Snake malware that somehow evade detection. If we do come across anything like that, we’ll be sure to let you know.
Can Apple’s Lockdown Mode protect you from spyware?
Kirk McElhearn 4:27
Okay, we want to talk a bit about iPhone malware. And we’ve got a couple of stories that are a few weeks old. Let’s start with how Apple’s Lockdown Mode blocked some NSO spyware, right?
Josh Long 4:38
Yeah, this is interesting to me because as a user of Lockdown Mode on my iPhone, which, by the way, annoys people, especially my wife, pretty often because she’ll try to send me things via iMessage and then I tell her Yeah, I can’t see that on my iPhone. And she’s like, well just turn off Lockdown Mode. I’m like, but I don’t want to turn off Lockdown Mode. Lockdown Mode actually has helped to block NSO spyware, this nation state level spyware that has been able to break into iPhones and Android phones, and uses all sorts of really sophisticated techniques in some cases. So we actually, finally were able to identify a situation where somebody tried to hack an iPhone, and it was blocked by this Lockdown Mode that Apple has available for iPhone as well as Mac. So this is a good thing, it’s nice to know that it does work at least some of the time.
Kirk McElhearn 5:39
So you can tell your wife that you have a valid reason to keep Lockdown Mode on.
Josh Long 5:43
Exactly, yeah. Now, you know, Lockdown Mode is a pain. We’ve talked about it before on the show, every single time that you update iOS, you get all these prompts all over again, every time you go into any app that ever loads any web content. So you get a dialog box that says Lockdown Mode is turned on for the name of this app, certain experiences and features may not function as expected, you can turn off Lockdown Mode for this app in Settings. Of course, you don’t really want to turn off Lockdown Mode for things like the Apple Messages app, because it’s kind of important. Like that’s where you’re likely to get a lot of these types of things that can be a big problem for you. So if you do have specific apps that you want to exclude, you can do that. But just you know, be aware that you’re potentially exposing yourself if you do that,
Kirk McElhearn 6:31
We’re going to link to an article in TechCrunch, which talks about several exploits. And what’s interesting is that one of them, exploited the iPhones Find My feature. And so the Find My feature is always broadcasting your location. And if there’s a vulnerability that lets your location be found, that has nothing to do with how the exploits targeted Find My one of the vulnerabilities exploited the Find My feature, another one was involved with Find My and iMessage. And another one was with HomeKit, and iMessage. And I don’t know how these all linked together, but Find My and HomeKit use your location. So maybe that’s one way that they were able to get information about people that they were trying to find.
Josh Long 7:11
Right, the kind of thing that would usually happen through messages. There are lots of different types of things that are blocked, but especially attachments, right, that’s the main thing, it doesn’t show you previews of articles that are sent to you. It doesn’t display a variety of different kinds of attachments. Because those are methods that have been used in the past by spyware like this to infect your device and to get information that it shouldn’t be able to get out of your device.
Zero-click exploits take advantage of vulnerabilities to execute malicious code.
Kirk McElhearn 7:40
Okay, we’ve got another story about a little known Israeli mercenary spyware provider called QuaDream. They have created zero-click exploits. For iPhones. Now we’ve talked about zero-click exploits many times. What often happens with a zero-click exploit is if you send a URL to someone in messages, it can try and display a preview. If you send a photo through messages, the iPhone has to actually read the photo to display it. And there can be vulnerabilities that allow code to be executed when these processes happen. So zero-click exploits are the most dangerous because it’s never the fault of the user. It’s just that they’ve received something often in messages, perhaps an email, something that is turned off with Lockdown Mode.
Josh Long 8:24
Right. And WhatsApp also has been used to send these types of messages before these zero-click exploit messages. We actually talked about NSO group years ago on the blog. This QuaDream company is very similar to the NSO group. They have similar spyware that can infect mobile devices. And they use a lot of the same techniques as the NSO group. There are other companies out there as well to do this, there was an Italian company that was in the news recently that also had very similar technology. A lot of its nation state threat actors, right, if they want to be able to spy on somebody that they think may, you know, be a terrorist or or be a threat to their government stability or something like that. Then very often these law enforcement agencies or government actors will go to a company like this and say, Hey, we need your software to break into whatever devices we need to for national security reasons, right?
Kirk McElhearn 9:26
It’s always national security reasons. Even if it’s an activist or the head of the opposition party, it’s still national security reasons.
Josh Long 9:33
Well, that’s exactly the problem because this software has been used against journalists, it has been used for opposition research, like you’re saying, it’s not always used for legitimate purposes. And that’s the danger of having this kind of software out there. Really, if you’re talking about nation state level attackers, they’re going to have the resources they can spend all the money in the world and print their own money and hire people who are able to find is a really sophisticated exploits for vulnerabilities that nobody even has discovered yet.
Kirk McElhearn 10:05
Why are they finding more and more of these? Do they have new techniques to try to attack the operating system to find these weaknesses?
Josh Long 10:14
Well, there have been a lot of methodologies for finding vulnerabilities over the years. One thing that was really popular maybe a decade ago was fuzzing. PDF fuzzing is one one thing that people were experimenting with a lot I remember, they were creating these like documents that were written in such a way that if they were interpreted in a certain way, it could potentially cause buffer overflows, and allow for malicious code to be executed on the host system. There are a lot of techniques like fuzzing and there’s a lot of other things, a lot of other ways that vulnerabilities can be discovered, like we were just talking about last week, it’s even possible now to use ChatGPT, you put give it some code and say, Hey, find a vulnerability in here for me. So there’s always new ways of trying to find vulnerabilities. But the thing is, with a really sophisticated threat actor, they’re going to know all the ins and outs of the operating system that is being targeted. And some of these people are literally geniuses. And unfortunately, they’ve their powers are being used for evil and not good.
Kirk McElhearn 11:20
They’ve gone over to the dark side. Well, can’t you imagine that apple with all the money they have has just as many geniuses who are staying on the white side, and that they have a red team that’s attacking their operating systems to try and find these.
Josh Long 11:33
One would hope so. I know that Apple has hired a lot of security researchers over the past several years. So I’m sure that they are doing a lot of things internally, I have noticed that Apple doesn’t always credit outside organizations, you know, in their Apple security updates, a full list of details of all the vulnerabilities and all the CVE numbers that they’ve assigned all these different vulnerabilities that have been patched in each operating system version. Sometimes Apple actually credits itself, which is kind of funny, because that means apparently they have an internal team, who is able to find some of these vulnerabilities as well.
Kirk McElhearn 12:11
If they find a vulnerability in their own operating system, do they need to publish information about it? Do they need to make it public?
Josh Long 12:18
I mean, I suppose they don’t necessarily need to. But it’s kind of useful to know, let’s say, for example, that you are an IT manager, and you’ve got six, seven year old computers, and they can’t be upgraded to the latest operating system and you need to convince your boss, we need to find a way to afford to buy some new computers, because we cannot keep running these old operating systems because we know they’re vulnerable.
Kirk McElhearn 12:45
So Apple does it for the marketing.
Josh Long 12:49
Maybe. It’s probably not for that but it does have some nice side benefits of maybe encouraging people to upgrade to a newer operating system if they’re actually paying attention to all the security stuff in the first place.
Kirk McElhearn 13:00
Okay, we’re gonna take a break. When we come back, we’re going to talk about Safari, we’re going to talk about selling an older iPhone cut rate, whether it will be safe or not, and Apple’s new subscription apps.
Voice Over 13:13
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
Where does Apple Safari desktop browser rank in usage?
Kirk McElhearn 14:29
I live in the UK and they like to talk about lead tables about who’s in the lead and market share and who’s got the best schools and who’s got the best health care system. We have companies that give us this information about web browser usage. And Google’s Chrome is still in the lead with about two thirds of people using Google Chrome which is quite stunning actually. Safari has gotten ahead of Edge with 11.87% Edge has 11% Firefox a little over five and a half Opera 3% IE does that still exist? About a half a percent. It’s interesting that Safari has, can I say Edge’d ahead of Edge? And now the second most widely used desktop browser, this is just on the desktop. This isn’t on mobile. And while this isn’t such a big deal, just to think through Safari is better than Edge. What it does mean is that as Safari gains more market share, it makes it more attractive for people designing malware.
Josh Long 15:21
I think what’s really interesting about this story is that well, there’s a couple of really interesting things. One is that evidently, Windows users, as soon as they get their PCs, they immediately just use Edge to download Chrome, right, this is still a thing that’s happening today. They don’t even realize that Edge is basically Chrome, but with extra Microsoft stuff in it and Google stuff removed from it, right. But it’s basically Chrome. And it’s kind of hilarious to me that that Edge is so low, which means that like almost everybody uses Windows, just switching to Chrome immediately.
Kirk McElhearn 15:55
But if they’re in the Google ecosystem, and they’re using Google features, Google Docs and Sheets and all that, then maybe they’re more tempted to use Chrome than Edge
Josh Long 16:03
Could be. And again, if people don’t realize that Edge can do all those things that Chrome can do, then I guess I understand why they’re switching to Chrome. But in any case, a couple of other things that are interesting here is it probably also means that a good portion of Mac users just use the default browser, they’re using Safari. So while where Windows users aren’t really switching away from the browser that comes with their operating system, Mac users have a tendency to just stick with Safari, because remember, there’s no Safari on Windows, there’s no Safari on Linux, it doesn’t exist on anything, except for the Mac, there, once upon a time was a version of Safari for Windows, but it has long since been discontinued. And if you’re still using it, well, it’s got some pretty major vulnerabilities at this point, and probably also doesn’t render web pages very well at all. But it’s interesting what you say that because Safari is the number two desktop browser now, maybe it will be a more enticing target for the bad guys to want to go after. Right? Because Chrome is number one, Safari is number two. So maybe we should think more about targeting Safari.
Will Apple ever sell a version of the iPhone SE for $199?
Kirk McElhearn 17:10
Okay, we have a story that was published in 9-to-5 Mac a couple of days ago. And as soon as I saw it, I emailed Josh saying, Oh, you’re not going to be happy about this. The journalist is suggesting that Apple sell an older iPhone SE for $199 in emerging markets, saying this would be a smart move. Now, we have often discussed how buying an older device is actually not a smart move, because it won’t get security updates for a long time. And Josh has talked about this, on the podcast, written articles done talks at security conferences. What’s funny is that the article also talks about the $199, Apple Watch Series Three, which Apple retained on sale, one beyond the point at which it made sense to buy one and I quote the article. And of course, Apple was still selling this even after they announced that it would not get updated to watchOS 9, I can understand a low priced phone for emerging markets. But if it’s a low price phone that’s three years old, it’s only got a couple years of security updates. That’s irresponsible.
Josh Long 18:09
There’s a couple of different takes on this. So Mark Gurman, who is cited by the author of this 9-to-5 Mac article, he points to Mark Gurman and says Mark Gurman has has been saying we should have a $199 iPhone for emerging markets. But specifically I checked what Mark Gurman actually said and he said once the fourth generation iPhone SE comes out whatever that might be, then they should make the third generation which just came out last year 2022 They should make that the $200 phone for emerging markets. The 9-to-5 Mac article kind of took it in a different direction is that Ben Lovejoy who wrote that article is implying that maybe Apple should just be doing this right now. The here’s the problem with that, like Kirk was saying the previous model, iPhone SE right now is three years old. This is the that would be the second generation which came out in 2020. And it you know, price wise, people were completely roasting Ben Lovejoy in the comments on this article, by the way, but it actually is plausible that Apple could sell an iPhone SE second generation for that $200 price range. If you go on eBay, right now you can find that model selling in an unopened box for 220, $230. So it’s absolutely possible that Apple could be doing this and not really be losing any money on it. Because of course, people are going to buy apps, they’re going to you know, do in app purchases and get subscriptions and all that. And Apple makes revenue from all of that, not to mention all of Apple’s other services. But the problem again, is that this is already a three year old phone and assuming that Apple is on a roughly five year from the initial release of that hardware cycle. You’re putting people in kind of a precarious situation, because you’re assuming the reason they’re Going for the $200 model is because they can’t afford to buy something that’s much more expensive than that. And so is it such a great idea to be giving people like a two year lifespan on this iPhone, because they may not really be able to afford to buy a new phone every couple of years. So this is kind of problematic, right? If if Apple were to just do this today, with the previous model, iPhone, se, I don’t think that would be such a great idea.
Kirk McElhearn 20:29
I’m not convinced that a $200 iPhone would get people to buy a lot of Apple services. Because the vast majority of people don’t buy apps don’t subscribe to anything. If they can’t afford a more expensive iPhone, they probably can’t afford a subscription to anything or Apple Music or anything, you can get a pretty good Android phone for $200 or equivalent in various countries. You can even get a over here 100 pounds, you can get a decent Android phone that’s going to have three or five years of security updates. So I don’t honestly see this happening. I don’t see Apple wanting to get into the low end market. It’s not something they’ve ever really tried. Or when they have tried, it’s never worked out. So we can think about this for a while. But I don’t think it’s going to happen.
Josh Long 21:11
The biggest advantage for Apple probably is just getting people in the Apple ecosystem so that they’re more likely to buy future Apple devices. And again, sure, potentially buy services and all those other things too.
Apple’s Final Cut Pro and Logic Pro apps will run on iPads and debut subscription pricing model.
Kirk McElhearn 21:23
Yeah, but if you can’t afford to buy an iPhone, you’re not going to pay a lot of money for services. Anyway. Speaking of money for services, Apple has announced two new apps Final Cut Pro and Logic Pro for the iPad. Now Final Cut Pro is a video editing app. Extremely powerful. The word pro here is serious. It’s not like an iPhone Pro. This is a pro app. I think Final Cut Pro costs three or $400. Logic Pro costs $200 on the Mac. Bringing these the iPad is interesting. And there are two reasons why one is that they’ve rebuilt these apps a bit to use multi touch to use the pencil. The other is these are Apple’s first subscription apps, they will each be $5 A month or $50 a year. Apple has never done this. Now before the show we were talking about the many things that we have paid for from Apple. When I life was first released. I think it was $20. But you were paying for the box and the CD and all of that we used to pay for Mac OS. Do you remember I think it was Mac OS Lion was the first time it was free. The previous year it was $20. And this was after the inauguration of the Mac App Store. Before that it was in boxes. It was expensive. I remember paying, I don’t know 100 $150 It was pretty steep. So it’s really surprising that Apple is taking pro apps and charging a subscription. Could this be the direction that Apple is going with other apps? Could we see the company developing other apps? There are no apps currently that Apple charges for
Josh Long 22:48
That is kind of interesting. But another aspect of this that a lot of people are commenting on is is that, you know Apple’s taking Mac apps, apps that have only been available for Mac and may now making them available for the iPad, which is another thing that, you know, historically, Apple generally doesn’t care too much about self cannibalization, right, if they can make a better experience cross platform between Mac iPad iPhone, they’re happy to do that. And they don’t mind that you’re now getting a subscription to use this app on an iPad as opposed to just you know buying this outright on the Mac, it may actually benefit Apple in the long run. Because if people look at this and say, Oh, well, that’s a little bit more affordable. Maybe that would actually make sense for me. In the long run, they might be actually making Apple might be making more money off of this potentially.
Kirk McElhearn 23:38
And as our producer, Doug has said he wants a big screen, he wouldn’t work on an iPad. So let’s say you’re used to using Final Cut or Logic Pro on an iPad, you realize, Well what if I had a 27 inch iMac? I’d see even more.
Josh Long 23:51
Yeah, so So maybe, instead of being something where they’re cannibalizing Mac sales, maybe it’s actually encouraging Mac sales, because they get people addicted to this technology on the iPad and then go, you know, this would be really nice on a bigger display, maybe I should get a Mac.
Kirk McElhearn 24:07
On the other hand, these are not very popular apps. These are pro apps that people use them are serious video editors, or they are serious audio editors. Now, our producer uses Logic Pro to edit these podcasts. I use Logic Pro to edit my podcast as well, because it’s more flexible than GarageBand and other solutions. But I paid $200 for Logic Pro, it’s a very, it’s the most expensive software I’ve bought in I can’t remember how long you save time. Time is money. So for me it was worth doing. I don’t see a lot of people adopting these apps, but I don’t know, there was a whole new generation of people who did not grow up with keyboards who are used to mobile devices, who are as they say content creators, which is the polite way of saying they make videos for YouTube and who have things to make and Logic Pro is going to have a whole new sound library to actually compose music on the app which you you can already do on the Mac, but maybe doing it with touch. And with the pencil, it’s a different thing.
Josh Long 25:06
Yeah, and Final Cut Pro. For people who produce video content, this could be a real game changer for, again, for people who really liked the iPad are really comfortable doing things on on a mobile device rather than on a Mac. So this is way better than iMovie like they’re night and day difference in terms of the capabilities of those apps. And so for somebody who’s looking to get more much more advanced than iMovie currently can give you on the iPad. Final Cut Pro could be a really big thing for a lot of video content creators.
Kirk McElhearn 25:40
Now, these apps will only work on iPads running the M1 or later, which I believe is all the iPad Pros. And I think the latest iPad Air, but I also saw that the latest iPad Mini will be able to run them which I can understand doing this on an 11 inch iPad, but on the little iPad Mini that’s really compressed.
Josh Long 25:59
Yeah, I don’t think that would be such a great experience. Apple says that the current model of iPad Mini is 8.3 inch diagonal. So I don’t know that seems way too small for me for editing videos.
Kirk McElhearn 26:10
It remains to be seen if Apple is going to start charging a subscription price for these apps on the Mac. Because if you bought these apps, 10 years ago, you begin 10 years of upgrades and Apple has never made you pay. Maybe it’s about time for Apple to change that model. I would kind of like if they said if you own these apps on the Mac, you get them for free on the iPad. Or if you subscribe on the iPad, you also could subscribe on the Mac. That would be kind of interesting. Not sure they’re going to do this. We’ll find out they’re released on May 23, which incidentally, is just about two weeks before the next worldwide developer conference. And I’m going to bet you $1 This is going to be new iPads announced that the worldwide developer conference and that they’re going to be showing off these new apps.
Josh Long 26:53
I think it makes sense for Apple to do that for sure. Yeah. Okay.
Kirk McElhearn 26:57
That’s enough for this week. Until next week, Josh, stay secure.
Josh Long 26:59
All right, stay secure.
Voice Over 27:03
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts. 
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
