Q&A: Finding a snooper

Q A friend of mine is worried that their partner is suspicious of them, and has asked me to look at their iMac to see if there was any software snooping on them. What sort of thing should I be looking for?

A Unlike Windows PCs, there is essentially no true spyware for Mac OS X, but if someone runs Windows under Boot Camp or through virtualisation software, they should pay particular attention to what might be installed there.

Mac tools that could be used to monitor someone’s activity include:

There is also a suite of hacker’s tools based on Safari Password Recorder (SPR): these can masquerade as a bogus LoginWindow process when seen in Activity Monitor, and quietly tuck away Facebook and other password details into an HTML file that can be automatically emailed to another user.

Activity Monitor will reveal running processes, but gives little other helpful information which could lead to the identification of a background key logger or monitor service. You should get much better clues from Objective-See’s free TaskExplorer.

Anyone concerned that someone else is monitoring their account or activities should check that their firewall has not been tampered with, for instance to allow incoming access to their Mac. They should also at the very least change their OS X password to one that is not guessable, and set their Mac to require full login at startup, if not in their screensaver. It could be even more defensive to create a new user account with a robust password and move all personal materials over to that new account.

In many circumstances, snooping in this way is illegal, and good professional advice might be worthwhile.

Updated from the original, which was first published in MacUser volume 26 issue 9, 2010.