OverSight

Mac malware often spies on users by recording audio and video sessions...sometimes in an undetected manner.
OverSight monitors a mac's mic and webcam, alerting the user when the internal mic is activated, or whenever a process accesses the webcam.
Supported OS: macOS 10.15+
Current version: 2.0.1 (change log)
Zip's SHA-1: 4E5E1BD2E9C947A736F2159E3B88F5E0ED99FE56
Source Code: OverSight



Looking for an older version (compatible with older versions of macOS)?

Download: OverSight (v1.2.0)

One of the most insidious actions of malware, is abusing the audio and video capabilities of an infected host to record an unknowing user. Macs, of course, are not immune; malware such as OSX/FruitFly, OSX/Crisis, OSX/Mokes, and others, all attempt to spy on Mac users. OverSight constantly monitors a system, alerting a user whenever the internal microphone is activated, or the built-in webcam is accessed. And yes, while the webcam's LED will turn on whenever a session is initially started, new research has shown that malware can surreptitious piggyback into such existing sessions (FaceTime, Skype, Google Hangouts, etc.) and record both audio and video - without fear of detection.

To install OverSight, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:


Then, simply double-click on 'OverSight_Installer.app'. Click "Install" to install the tool (or "Upgrade" if you have an older version already installed):


OverSight can also be installed via the command-line. Just execute the installer application with the -install flag:
//install
$ sudo OverSight_Installer.app/Contents/MacOS/OverSight_Installer -install
OVERSIGHT: install ok!

Once OverSight is installed, it will be running and is set to automatically start each time you log in. By default, when running OverSight adds an icon () to the status menu. Clicking on this icon will display a menu with various information and configuration options:


While OverSight is running, anytime the internal microphone is activated, or a process accesses the built-in webcam, OverSight will alert you of this fact.

Below is an example of an OverSight camera alert, generated when an application (Zoom) has activated the webcam:

The alert contains the name and process identifier of the process responsible for the alert (i.e. 'Zoom'). Moreover, clicking on "Options" in the notification allows one to either allow the process once, allow it always, or terminate it via the 'Block' option.

Clicking "Allow (Always)" ensure instruct OverSight to ingore future device access (e.g. the camera) for that specific application. Such approved applications can be viewed via OverSight's "Allowed Items..." menu option:


Note, in some cases OverSight cannot identify the process responsible for activating the mic or webcam. When this (rarely?) occurs, a more generic alert will be shown.

In order to configure OverSight, simply click on its icon () in the status menu. Then click on 'Preferences...':


This preferences window will also be shown if you run OverSight.app from the /Applications folder.
  • 'Log activity'
    This preference specifies whether or not OverSight should log start/stop and audio/video events.
    OverSight's log file is located at: ~/Library/Application Support/Objective-See/OverSight/OverSight.log.

    Click the 'view' link just to the right of the 'Log Activity' label to open the log file. When this preference is enabled, OverSight will also log to the system log via syslog().

  • 'Start at login'
    This preference specifies whether OverSight should be started automatically at login, or not. This preferences is on by default meaning OverSight will provide continual protection.

  • 'Run in 'headless' mode'
    By default, OverSight will create an () in the status menu. Enabling this preferences will remove this icon, though OverSight will still be running, providing protection. If you wish to re-enable the status bar menu icon, run OverSight.app from the /Applications, and uncheck this preference.

  • 'Disable 'inactive' alerts'
    When this preference is checked, OverSight will not display an alert when the mic or camera is deactivated.

  • 'Automatically check for updates'
    This preference controls whether or not OverSight will automatically check for new versions at startup. If there is a new version, OverSight will display a popup prompting you to upgrade.
As previously mentioned, clicking on the 'Manage Rules' button will open a window that displays all white-listed applications. To remove any application, simply click the 'x' button in it's row.

To uninstall OverSight, re-run 'OverSight_Installer.app' (you can re-download it if needed). Clicking the 'Uninstall' button will both stop and remove OverSight from your Mac. OverSight can also be uninstalled via the command-line. Just execute the installer application with the -uninstall flag:
//uninstall
$ sudo OverSight_Installer.app/Contents/MacOS/OverSight_Installer -uninstall
OVERSIGHT: uninstall ok!

FAQs
Q: Why does the OverSight Installer need my password?
A: In order to determine what process(es) is/are using the webcam, OverSight interfaces with Apple's 'camera daemon.' This requires elevated privileges. Also if the user clicks, 'block' when a process is detected using the camera, OverSight will terminate the process. Again, this action (may) require elevated privileges.

Q: How can I tell if OverSight is installed and running?
A: When started, OverSight adds an icon () to the status menu. The presence of this icon, indicates that the process is running (unless you've told it to run in 'headless' mode). One can also check if it's running, via the Activity Monitor.app. Select View->All Processes, and look for a running process named OverSight_Helper

Q: Why does it take OverSight, a few seconds to display the webcam/mic usage notification?
A: There is not easy way to determine what process is using the webcam or mic, when either is activated. Worse, there is no direct indication that a new process is accessing an existing a webcam session. Thus OverSight has to perform various tests and has to poll the system (only when the camera/mic is active) in order to determine what process(es) is/are accessing the device. This takes a few seconds...mahalo for your patience!

Q: Why can't OverSight detect what process is using the mic/webcam?
A: While there is no direct way to determine what process is using the webcam or mic, OverSight can almost always figure this via indirect means. If it fails to identify any process (but can still detect that the webcam/mic was activated), Oversight will still generate a notification stating the device was activated. However, this notification will not contain any process information, nor of course, the ability to 'allow'/'block' the process.

Q: How is OverSight different than other tools (such as MicroSnitch)?
A: OverSight is unique in a variety of ways:
  • OverSight is 100% free (no demo mode, limited functionality, etc).

  • OverSight is able to identify the process that is accessing the webcam.
    When your webcam's LED light randomly comes on, you'd want to know what process triggered that, right?

  • OverSight provides the means to either 'allow' or 'block' a process that is accessing the mic/webcam

  • OverSight allows one to whitelist process, allowing access to either the mic or webcam without any subsequent alerts

  • OverSight can detect secondary 'consumer' processes that may be piggy-backing off a legitimate webcam session in order to stealthily record the user without detection. (See: "Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings" for details on this novel attack).

Q: Any other questions?
A: Feel free to shoot us an email at contact@objective-see.com.