New ReiKey app for macOS can Detect Mac Keyloggers

macOS users have a new open source tool to help them identify generic keyloggers on their system. Called ReiKey, the app can scan and monitor for software that installs keyboard event taps to intercept keystrokes.

Event taps allow monitoring and filtering input events, like keyboard presses, before they pass to a foreground application. CoreGraphics is the framework that handles these low-level user input events.

Developed by security researcher and macOS hacker Patrick Wardle, ReiKey is efficient against malware that uses CoreGraphics to achieve their purpose.

Wardle says that most macOS keyloggers rely on CoreGraphics 'event taps' to capture keystrokes, and that ReiKey was specifically designed to detect and alert whenever a new tap is added to the system.

Malware is not the only type of software that may install event taps on your system. Some legitimate apps and system components to monitor for keypresses in order to function correctly. One example is Siri.

"This is normal, and does not mean Apple is spying on you!" Wardle says.

Although these benign processes appear in the scan results, users can run ReiKey after a clean OS install to check the legitimate entries and then pay attention to any alert popping up when adding a new app.

Wardle is considering adding a new setting that instructs ReiKey to trust benign apps, Apple-signed ones, in particular. At the moment, the only choices available are to start the app at login and enable an icon on the status bar menu.

Update: ReiKey 1.1 is now available, which adds the option to silence alerts about  benign programs from Apple. This setting comes enabled by default and results in a lower number of false positive alerts as it ignores system binaries.

ReiKey's always-on protection (on-demand scan is also available) against keyloggers is possible via an OS-level notification system, "com.apple.coregraphics.eventTapAdded" (kCGNotifyEventTapAdded), which broadcasts a message whenever a new event tap is added to he system.

Wardle told BleepingComputer that no special permissions are required for this app and that it works in a sandboxed environment, too.

It is important to note that ReiKey does not work against all types of keyloggers. It is specifically built to detect malware that installs install CoreGraphics keyboard "event taps. " While this is the most common technique (ab)used by macOS keyloggers, there are other techniques that malware may use to capture keystrokesm," Wardle warns.

Patrick Wardle is a former NSA staffer focused on developing security tools for macOS. He is the creator of the Objective-See brand which published multiple free Mac security apps, like LuLu firewall, RansomWhere? monitor for suspicious processes that generate encrypted files, KnockKnock - a tool that shows persistent installations, and Do Not Disturb - an app designed to alert of physical access (evil maid) attacks.