When Apps Go Rogue

Interesting story of an Apple Macintosh app that went rogue. Basically, it was a good app until one particular update…when it went bad.

With more official macOS features added in 2021 that enabled the “Night Shift” dark mode, the NightOwl app was left forlorn and forgotten on many older Macs. Few of those supposed tens of thousands of users likely noticed when the app they ran in the background of their older Macs was bought by another company, nor when earlier this year that company silently updated the dark mode app so that it hijacked their machines in order to send their IP data through a server network of affected computers, AKA a botnet.

This is not an unusual story. Sometimes the apps are sold. Sometimes they’re orphaned, and then taken over by someone else.

Posted on August 30, 2023 at 9:39 AM14 Comments


Morley August 30, 2023 10:49 AM

I guess I’m more at risk from lack of updates. I suppose a independent 3rd party could certify updates.

Beatrix Willius August 30, 2023 11:01 AM

Did Apple terminate the developer account? Don’t they have the power to kill an app outright?

Mexaly August 30, 2023 12:58 PM

This is why I hate hardware that demands that I open an internet account.

Don’t ask me for my PII so I can use a a switch.

y_flores August 30, 2023 1:00 PM

@ Beatrix Willius,

Don’t [Apple] have the power to kill an app outright?

They did kill it, on their app store, after mistakenly approving it. But MacOS users don’t have to use the app store, and developers who aren’t using the app store don’t need accounts. I think that’s also the only way the “orphaned, and then taken over by someone else” trick could work. For iOS or Android, the new developer would presumably not have the necessary signing key (buying it would still work; the bad app or its developer account could be disabled by Apple or Google, but attackers effectively get infinite tries—do it under a new name, maybe pay a patsy if necessary).

@ Morley,

I suppose a independent 3rd party could certify updates.

That’s kind of what a free software distribution like Debian is. And something Apple says they do for everything in their app store.

Ted August 30, 2023 1:33 PM


From web developer Taylor Robinson’s technical write-up:

… it forwards HTTP traffic down to you, which gets proxied out of your internet connection… It also tries to open a UPnP port forward on your router…

Of course, there’s more.

Apps need a continuously updated security label – like the one being implemented for IoT devices.


Clive Robinson August 30, 2023 1:35 PM

@ y_flores, ALL,

Re : You can not stop what you do not see.

“And something Apple says they do for everything in their app store.”

Only we know two things,

1, Apple take about 30% of the value.
2, Apple repeatedly fail to detect malware in that walled garden of theirs.

Now back a long time ago when “code signing” was newish I’d thought through how I would go about attacking it. At every stage I found vulnerabilities and most but by no means all have since been used.

As far as I’m aware my conversations on why “code signing” was a bad idea with @NickP are as far as I’m aware still up on this site, so you can go back and check.

Appart from over zellous corporate profits, walled gardrns off the developer nothing and the user not much more.

If we as an industry had actually thought about things in the last decade and a half, maybe we would have come up with a better solution.

But the mega corps of silicone valley actually do not want a better solution. To then “code signing” saves them billions and makes billions as well because now they can just get you to “download” not just apps but patches, as well as effectively pushing auto-upgrades that many find undesirable (the recent Win 11 fail being just the latest). Then there is that near a third probably illegal profit they make as well…

But as was seen with the FTD USB to Serial chip driver update, many can have their working systems bricked by other people via auto-updates. And more recently the string of “supply chain” attacks have not helped improve confidence, in fact the very opposite.

We need better, but we’ve been encoraged not to think how to go about it…

Q August 30, 2023 9:37 PM

The real solution is to deny network privileges to everything by default. Then selectively enable access for programs that actually need it. You might be surprised how few programs truly need network access. My current allow list is only three items long. This browser and the DNS and NTP services. That is all.

A night mode program doesn’t need network access. And it won’t need “security” updates if it doesn’t have network access.

The idea of allowing any and all programs to have unrestricted network access by default is terrible. That is the real security risk here.

Clive Robinson August 30, 2023 10:33 PM

@ Q, ALL,

“A night mode program doesn’t need network access. And it won’t need “security” updates if it doesn’t have network access.”

Not quite true, you should say,

“if the system doesn’t have network access.”

If the system has network access through the OS then the entire system and all that’s on it is still vulnerable, as you can “end run” any security measures at or below the OS level.

People tend to forget that if you have an application on your system and if an attacker can get even quite limited access to the system communications –say via MITM– then the attacker can in both theory and practice replace the application with a vulnerable version.

It has been done in the past yet people appear to have not “learnt from the past” something the ICTsec industry suffers badly from.

I’ll leave it to others to decide if it’s down to,

1, Poor Education
2, Collective Amnesia
3, Cognative bias

But the simple fact is that “communications hole” is still open in one way or another.

In the past I’ve demonstrated how to “modify a driver” this way as part of what we used to call a “shim attack” but would now call it a “supply chain attack”. The name or specific method realy do not matter, what we have to know is,

1, The existing app can be replaced.
2, It can obviate code signing.
3, The user probably won’t notice.
4, It requires some level of communications.

All we realy need to know here is that there are several ways in which it can be done, but ONLY with “communications” of some kind.

So you need to “kill communications” by hard “segregation” unless you absolutely must have some communications. In which case I would recommend a “sacrificial communications end point” approach using two seperate devices as I have talked about in the past.

modem phonemes September 2, 2023 3:31 PM

Why look for and install the garbage “apps” from the app store ? At least write your own stuff using Python or such, which Apple provides support for. It’s not much harder than writing an essay. You’ll be a much more thoughtful user.

The only thing that has a chance of having a reason to exist as an external offering is fundamental technology that requires substantial domain expertise.

Savita September 22, 2023 10:42 PM

An app that was good until it went bad

This is exactly like the AI synthetic David 8 played by Michael Fassbender in the movies Alien: Prometheus and Alien: Covenant. That synthetic was evil incarnate. Still is.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.