Short Summary
The macOS app called NightOwl, originally designed to provide a night mode feature for Macs, has turned into a malicious tool that collects users’ data and operates as part of a botnet. Originally well-regarded for its utility, NightOwl was bought by another company, and a recent update introduced hidden functionalities that redirected users’ data through a network of affected computers. Web developer Taylor Robinson discovered that the app was running a local HTTP proxy without users’ knowledge or consent, collecting users’ IP addresses and sending the data to third parties. The app’s certificate has been revoked, and it is no longer accessible. The incident highlights the risks associated with third-party apps that may have malicious intentions after updates or ownership changes.
Longer Summary
The NightOwl app was developed by Keeping Tempo, an LLC that went inactive earlier this year. The app was recently found to have been turned into a botnet by the new owners, TPE-FYI, LLC. The original developer, Michael Kramser, claims that he was unaware of the changes to the app and that he sold the company last year due to time constraints.
Gizmodo was unable to reach TPE-FYI, LLC for comment. However, the internet sleuth who discovered the botnet, Will Robinson, said that it is not uncommon for shady companies to buy apps and then monetize them by integrating third-party SDKs that harvest user data.
Robinson also said that it is understandable why developers might sell their apps, even if it means sacrificing their morals. App development is both hard and expensive, and for individual creators, it can be tempting to take the money and run.
This is not the first time that a popular app has been turned into a botnet. In 2013, the Brightest Flashlight app was sued by the Federal Trade Commission after allegedly transmitting users’ location data and device info to third parties. The developer eventually settled with the FTC for an undisclosed amount.
In 2017, software developers discovered that the Stylish browser extension started recording all of its users’ website visits after the app was bought by SimilarWeb. Another extension, The Great Suspender, was flagged as malware after it was sold to an unknown group back in 2020.
All of these apps had millions of users before anyone recognized the signs of intrusion. In these cases, the new app owners’ shady efforts were all to support a more-intrusive version of harvesting data, which can be sold to third parties for an effort-free, morals-free payday.
Possible Takeaways
-
Minimize the software you use
-
Keep track of ownership changes
-
Use software from only the most reputable sources
-
Regularly review installed apps
-
Be suspicious about app’s unexpected behaviors and permissions
I always get paranoid when I notice an app I use having unusual updates.
Example: The gallery app for Android I use, F-Stop, used to post infrequent updates with changelog only stating “stability updates” and such, or nothing. Then a few months ago they started posting quite major feature updates with detailed log. I freaked out if they weren’t bought up or something, so I stopped updating and just watched for a few months. So far so good.
But ya know, moral of the story - use open source whenever possible. FOSS community is very vigilant and vocal about such things. It’s not bulletproof, but there’s a much better peace of mind with foss apps, it’s quite crazy.
The proprietary app stores claim how their corporate bullshit is the only secure way to get reliable apps, while in reality it’s the exact opposite.
It’s nice to use FOSS as much as possible, but in reality, is the source in the binary exactly the same as in the repo? Unless you compile yourself, you still don’t know what you get.
In lots of places other people do the compilation and thus guarantee the build, like in Linux distros or F-Droid.
That’s nice to know, but I was more thinking about phone apps.
It’s harder the be sure that what was uploaded - to let’s say Google Store - is not “tweaked” …
That is one nice thing about F-Droid. They compile the binary like Linux distros do.