Anti-virus software companies have been accused of ignoring the Coldroot MacOS Trojan, which could leave Apple users wide open to compromise.
The claim has been made by Digita Security chief technology officer Patrick Wardle, anti-virus software vendors have failed to include signatures to detect a potent Trojan that has been increasing in complexity for years.
He said that the Coldroot RAT (remote access trojan) has been compromising devices for years but that security software vendors do not appear to have been unaware of the danger it presented.
The Trojan is predominantly targeting MacOS devices, although Wardle warned that it could potentially be used against other operating systems too.
The Trojan can be used to install keystroke-loggers on MacOS systems in a bid to obtain passwords and banking details, particularly credit-card numbers.
Wardle published his findings in a technical post on Saturday. He believes that cyber criminals have been selling access to the malware since January 2017.
There is also evidence indicating that some versions of the malware have been circulating on GitHub for two years, meaning that not only is it widely known about, but that the anti-virus software vendors could have incorporated signatures into their security suites.
In his report, Wardle spoke about a "a vulnerability I found in all recent versions of MacOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogs".
He continued: "Though reported and now patched, it allowed one to do things like dump passwords from the keychain or bypass High Sierra's 'Secure Kext Loading' - in a manner that was invisible to the user."
Wardle added that attackers have been using the Trojan to tweak the operating system's privacy database. By doing this, they were able to alter the accessibility rights.
"With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging)," he said.
"By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user."
The Trojan was also able to change the TCC.db database, which could hand even more rights to an attacker.
However, MacOS High Sierra has protections in place to prevent this, meaning that older versions of MacOS are most at risk.
He added: "Behind the scenes, the application will automatically beacon out to a server.
"While creating a network connection is itself not inherently malicious, it is a common tactic used by malware - specifically to check in with a command and control server for tasking," Wardle notes.
"When the malware receives a command from the server to start a remote desktop session, it spawns a new thread named: ‘REMOTEDESKTOPTHREAD'.
"This basically sits in a while loop (until the ‘stop remote desktop' command is issued), taking and ‘streaming' screen captures of the user's desktop to the remote attacker."
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away