Patrick Wardle, a former NSA hacker who in recent years has become the de-facto expert on everything Mac malware, has created and released a Mac app that can detect certain types of macOS keyloggers.
Named ReiKey [GitHub], Wardle created and released this new app towards the end of 2018, as the researcher started looking into the inner workings of macOS keyloggers [1, 2].
"The majority of macOS malware that contains keylogger logic (to capture keypresses) does so via CoreGraphics 'event taps'," said Wardle.
ReiKey was specifically created to work around this common keylogger design pattern. Wardle's app works by continuously scanning the operating system for newly registered CoreGraphics event taps.
When ReiKey detects any app that registers a new CoreGraphics event tap, it shows a popup notification with information about the suspicious process that created so that the user can look into and determine if this originated from a legitimate or malicious process.
In some cases, these notifications will be false positives, as some apps with accessibility features or that respond to various keyboard commands will also use CoreGraphics event taps to respond to user input. One such example is Siri.
However, very few macOS apps tend to use event taps, and ReiKey is the perfect app to have your back when installing new or never-before-used apps.
If the app installs an event tap for which it doesn't have a reason to do so, then the user should either look into the app's features for an explanation or consider using an alternative app.
Under the hood, ReiKey works by relying on an undocumented macOS notification system, Wardle told us. ReiKey listens to broadcasts of this notification. Every time a new event tap is installed, ReiKey picks up the OS broadcast message and shows the its own popup to users.
Users can also trigger the on-demand all-system scan from the ReiKey icon (by clicking the "Scan..." option), or they can use ReyKey from the command-line. Screenshots of these features and more are available below:
Users should be aware that ReiKey doesn't detect all types of macOS keyloggers, as some of these might be using other methods for recording keystrokes. Nonetheless, because it's a free app, it's a solid alternative for Mac users who can't afford a full-blown antivirus.
ReiKey is just the latest app released under the Objective-See brand of Mac security and privacy apps. Other free Mac security apps that Wardle has released in the past under this brand include LuLu (firewall), Do Not Disturb (evil maid protection), KnockKnock (detection of persistently installed Mac software), RansomWhere (ransomware detection and protection), OverSight (detection of Mac malware that records audio and video sessions), and many other more.
Wardle is also the man behind the Objective by the Sea conference, one of the few security conferences focused on Mac malware. Talks and slides from the conference's first edition are available here.
Updated article to clarify that ReiKey doesn't work by scanning the system all the time, but by listening to a silent OS broadcast message.