It’s no news that macOS users also need protection against malicious code. The good news is that macOS users now have a new tool designed to help them identify generic keyloggers that may be plaguing their systems. The tool is called ReiKey, and has been developed by the acclaimed security researcher Patrick Wardle.
ReiKey Technical Overview: What Does the Tool Do for macOS Users?
So, what does ReiKey do? The tool scans and monitors for software that installs the so-called keyboard event taps to intercept keystrokes. Malware and other applications may install persistent keyboard “event taps” to intercept the user’s keystrokes. This is where ReiKey comes in, as it can scan, detect, and monitor for such event taps.
In general, macOS keyloggers rely on CoreGraphics even taps to capture keystrokes. What ReiKey does is detecting and alerting the user whenever a new tap is added to the system, Wardle explains. It should also be noted that legitimate apps, benign programs and system components may install event taps on the system, such as Siri. However, this is normal behavior.
The most recent version of the tool, v1.1, is already capable of muting alerts about benign programs from Apple. The feature is enabled by default, and this has led to a lower rate of false positives.
ReiKey Detects Only KeyLoggers Utilizing CoreGraphics Event Taps
ReiKey has an “always-on protection” against keyloggers but also offers an on-demans scan. Both are possible due to the OS-level notification system known as com.apple.coregraphics.eventTapAdded. This system is responsible for the delivery of messages in case a new event tab is added.
ReiKey only works against keyloggers that install the CoreGraphics event taps, meaning that only malware utilizing those will be detected. This may be the most common method used by macOS keyloggers but there are other techniques as well.