How a Well-Regarded Mac App Became a Trojan Horse


Level 78
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
In the early days of macOS Mojave in 2018, Apple hadn’t offered users a way to automatically switch to dark and light mode at different times of the day. As usual, there were third-party developers eager to pick up the slack. One of the more well-regarded night mode apps to fix this issue was NightOwl, first released in the middle of 2018, a small app with a simple utility that could run in the background during day-to-day use.

With more official macOS features added in 2021 that enabled the “Night Shift” dark mode, the NightOwl app was left forlorn and forgotten on many older Macs. Few of those supposed tens of thousands of users likely noticed when the app they ran in the background of their older Macs was bought by another company, nor when earlier this year that company silently updated the dark mode app so that it hijacked their machines in order to send their IP data through a server network of affected computers, AKA a botnet.

After some users noted issues with the app after a June update, web developer Taylor Robinson discovered the problem ran deep, as the program redirected users’ computers’ connections without any notification. The real dark mode turned out to be the transformation of a respectable Mac app into a playground for data harvesters.

In an email with Gizmodo, Robinson broke down their own investigation into the app. They found that NightOwl installs a launcher that turns the users’ computer into a kind of botnet agent for data that’s sold to third parties. The updated version of NightOwl, released June 13, runs a local HTTP proxy without users’ direct knowledge or consent, they said. The only hint NightOwl gives to users that something’s afoot is a consent notice after they hit the download button, saying the app uses Google Analytics for anonymized tracking and bugs. The botnet settings cannot be disabled through the app, and in order to remove the modifications made to a Mac, users need to run several commands in the Mac Terminal app to excise the vestiges of the code from their system, per Robinson.

It’s currently unclear how many users were affected by the seemingly malicious code, especially as NightOwl has since become unavailable on both the website and app store. The NightOwl site claims the app was downloaded more than 141,000 times, and that there were more than 27,000 active users on the app. Even if the app lost most of its users after Apple installed new Dark Mode software, there were potentially thousands of users running NightOwl on their old Macs.
If you have the NightOwl app installed on your Mac, you should get rid of it immediately. Robinson’s blog details the Terminal commands needed to excise the app from your device.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.