How to Detect Keyloggers on a Mac
Keyloggers come in many different forms. Software-based keyloggers don't require physical access to your machine, and can get installed when you download malware or an attacker accesses your system remotely. Hardware-based keyloggers require that the attacker has physical access to your system. Various options exist to identify, locate and remove keyloggers from your system.
Activity Monitor shows you real-time events happening on your Mac. Click the Finder icon in the Dock, select the "Go" menu and choose "Utilities." Double-click "Activity Monitor" to launch the application. Click the "Process" column label to sort your activity by processes. Look for any unusual processes and check them using Terminal. Click the "Go" menu, select "Utilities" and open "Terminal." Type "man" followed by a space and the process name. For example, "man networkd" provides information about the network daemon. If you find a process that seems suspicious, look up the process on a site such as WestWood Computing or Trivia Ware to check against a list of valid daemons and services (links in Resources).
Some keyloggers use hardware-based tools that connect to your physical keyboard. This can occur when you work in a public office or area where others have access to your computer. If you suspect a keylogger, but can't find anything in the Activity Monitor to indicate monitoring, check the connection between your keyboard and computer. If you see any extra fittings or hardware that doesn't belong, remove the device. More invasive types of hardware-based keyloggers get implemented through the firmware and require professional removal services.
One way to prevent the detection of keystrokes involves not using the keyboard at all. Mac OS X provides support to install a software-based keyboard. Since a keylogger only detects keystrokes, you can continue to use your computer while inputting important data using the software keyboard. Launch System Preferences, select the "Keyboard" option and check the "Show Input Menu in Menu Bar" box. Click the Input icon in the menu bar and select "Show Keyboard Viewer" from the drop-down menu. Use this keyboard to enter passwords and vital information until you can get your computer checked for keyloggers.
Security software suites can often run advanced scans that can detect keyloggers. One manner of doing this involves checking files for changes and blocking suspicious connections. Doing this on your own would require wading through pages of code and looking for files with even a single digit thathas changed. Kaspersky, WebRoot and Intego all provide applications that can find and remove most keyloggers (link in Resources). Install a security application of your choice and run a complete scan, including archive scans, if you suspect a keylogger installed on your system.
If you think you might have a keylogger, but don't have the time to get it removed immediately, you can thwart the keylogger by typing your password in two segments. Type the first part of your password, input some garbage text into a text document and then complete the password to prevent most keyloggers from recording your password.
When you think you have a keylogger and all other options have failed to remove the keylogger, you can erase and reinstall your operating system to remove any software-based keyloggers. Keep in mind that keyloggers installed in the firmware or through hardware won't get removed by a reinstallation. Create a backup of all of your files, restart your computer while holding down the "Option" key and use Disk Utility to erase your hard drive. Quit Disk Utility and then select the option to "Reinstall Mac OS X."
References & Resources
- Apple Support: OS X Mavericks -- Use the Keyboard Viewer
- Apple Support: OS X Mavericks -- About Activity Monitor
- Apple Support: OS X Mavericks -- Erase and Reinstall OS X
- Spy Cop: Hardware Keylogger Detection
- Compared and Reviewed: Webroot Secure Anywhere
- SecureList: Keyloggers: How They Work and How to Detect Them (Part 1)
- The Safe Mac: Mac Anti-Virus Testing 2014
- Kaspersky: Kaspersky Protection for Mac
- WebRoot: WebRoot Mac Antivirus
- Intego: Mac Internet Security X8
- WestWind: Mac OS X -- What Are All Those Processes?
- Trivia Ware: All Known Processes