ReiKey is a free tool that allows to scan and detect keylogger that install persistent keyboard “event taps” to intercept your keystrokes.
Good news for macOS users, a new open source tool dubbed ReiKey allows them to detect Mac Keyloggers. The ReiKey app monitor systems for applications that analyzed keyboard ‘event taps‘ to monitor and filter input events from several points within the system intercept keystrokes.
Event taps are added by both malicious applications and legitimate software to manage inputs provided by the user.
ReiKey was developed by the popular macOs expert and former NSA white hat hacker Patrick Wardle. The application is able to detect malicious codes that uses the CoreGraphics framework to monitor event taps.
ReiKey generically detects macOS (CG event tap) keyloggers 👾⌨️
♥️🙏 for all the feedback!
Weekend improvements:
-preference to ignore Apple/OS taps
-support for standard-user installs
-various bug fixes/UI improvementsGrab version 1.1.0: https://t.co/jWShhPVx2l pic.twitter.com/jhJDAnRsYU
— Objective-See Foundation (@objective_see) January 7, 2019
According to Wardle, most macOS keyloggers rely on ‘event taps’ implemented in the CoreGraphics framework to capture keystrokes, for this reason, the expert developed the tool to detect any new tap event that is added to the system.
Note that tool is effective only against keylogger that installs install CoreGraphics keyboard “event taps, but there are other way to implement keylogging features.
“The majority of macOS malware that contains keylogger logic (to capture keypresses) does so via CoreGraphics ‘event taps.'” states the post published by Wardle.
“ReiKey was designed to detect such keyboard taps, alerting you anytime a new tap is installed. In other words its goal is generically detect (the most common type of) macOS keyloggers.”
The tool scans for existing keyboard “event taps” and alerts whenever a new keyboard event tap is activated.
The scan provided the users the following information:
- the process that installed the keyboard event tap
- the target of the event tap (which is normally global, for all processes)
- the type of keyboard event tap; either “passive listener” or “active filter”
The scan results will also include legitimate entries, so users need to carefully analyze them.
Wardle already released the ReiKey 1.1 version that allows to instructs ReiKey to flag as benign some specific applications, like Apple ones.
ReiKey doesn’t require special permissions to work.