![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/08\/NightOwl-undesirable-behavior-600x300-1.jpg\")
<\/p>\n<\/p>\n
In late June, a web developer named Taylor Robinson wrote a blog post titled, “Uninstall the Nightowl App, now.<\/a>”<\/p>\n NightOwl is a third-party app that has been around since 2018. It’s supposed to offer more customizability than Apple’s built-in Night Shift<\/a> feature in macOS; both can automatically toggle your display to warmer colors after dark.<\/p>\n But Robinson claims that NightOwl has taken a turn toward the dark side. Supposedly, it silently enlists Macs in a botnet army.<\/p>\n Apple seems to agree that something shady is afoot; the company revoked the NightOwl developer’s code-signing certificate, forcing the developer to remove NightOwl’s download link from its site.<\/p>\n So what’s really going on? Let’s break down what we know about NightOwl.<\/p>\n In this article:<\/em><\/p>\n NightOwl is an app that lets you control the macOS Dark Mode and Light Mode on a much more granular level. You can pick which apps remain Light when the rest of the system goes Dark, and vice versa. You can set it to toggle modes at a certain schedule, or as the sun rises and sets. Moreover, you can toggle between modes with a hotkey. And the cute owl sounds when switching between modes are just icing on the cake.<\/p>\n The utility offered Mac users an extra level of control beyond what’s built into macOS. It has remained popular ever since.<\/a><\/p>\n NightOwl’s original developer, Benjamin Kramser<\/a>, says that he was no longer able to personally continue to develop the app due to time constraints. This led him to sell the project to a company called TPE.FYI LLC in November 2022.<\/p>\n It isn’t uncommon for apps to get acquired by a bigger company. Even companies as big as Apple have been known to acquire smaller companies to obtain all the rights to their software.<\/p>\n According to public records<\/a>, TPE.FYI LLC was formally established as a business entity in September 2018, but was dissolved in March 2023.<\/p>\n The same month that TPE.FYI was supposedly dissolved, the NightOwl website apparently introduced a new Terms and Conditions page. For anyone who may have happened to read it, this page contains some potentially concerning statements, such as:<\/p>\n “WHEREAS, NightOwl app enables Users to share internet traffic by modifying their device\u2019s network settings to be used as a gateway for internet traffic. Additionally, the User\u2019s device acts as a gateway for NightOwl app\u2019s Clients, including companies that specialize in web and market research, SEO, brand protection, content delivery, cybersecurity, etc.”<\/p><\/blockquote>\n While such language might stop you from installing an app, this change apparently wasn’t called out very clearly to users. What’s worse, this functionality could neither be opted into nor opted out of; it was simply baked into the product.<\/a><\/p>\n The claim in Taylor Robinson’s blog post that NightOwl “forcibly joins your devices into a botnet” is quite a strong accusation. <\/a>Let’s examine what that implies, and whether the current version of NightOwl has such capabilities.<\/p>\n When a computer or device is part of a botnet, that means software is installed that uses computing resources and Internet bandwidth to carry out tasks on behalf of a botmaster (bot operator). Such tasks may including participating in distributed denial of service (DDoS) attacks, sending spam, generating fake views or clicks, or other unethical behavior.<\/p>\n Generally, all of this is done without the knowledge or explicit consent of the owner of that device or computer.<\/a><\/p>\n A bot (or zombie) is an infected computer or device that is part of a botnet army.<\/p>\n According to Robinson, NightOwl was connecting to a remote SSH server, and acted as an HTTP(S) proxy server for the developer. Theoretically, this could mean that the current NightOwl developer could try to leverage users’ devices as part of a botnet to conduct DDoS attacks against Web servers, or generate fake clicks or views.<\/p>\n Robinson also notes that NightOwl contains code related to a service called Pawns (or Pawns.app), which supposedly pays users up to 20 cents per gigabyte for sharing their network bandwidth. Again, this seems to imply that some third party could theoretically leverage NightOwl users’ Internet connections as proxies to send DoS or click fraud traffic.<\/p>\n Notably, Robinson did not claim to have observed NightOwl actually engaging in these types of activities<\/strong> commonly associated with botnets.<\/p>\n Of course, this behavior happens behind the scenes; users of NightOwl will generally have no idea that any of this is happening. <\/a>Users also wouldn’t get a share of any revenue generated by Pawns traffic; all of the potential profits would go to the current NightOwl developer.<\/p>\n Robinson goes into further technical detail about how NightOwl uses a LaunchAgent to kick off an AutoUpdate daemon. The daemon runs as root, and it cannot be disabled through the app. Turning off the “Send Statistics” option in the app does not disable the LaunchAgent, either.<\/p>\n Further details include how NightOwl may be making use of several open-source software packages without including the appropriate licenses.<\/p>\n Finally, Robinson explains the Pawns component:<\/p>\n The application also seems to use the Pawns SDK, which is an app offers to pay users $0.20 per GB of their internet shared. This service is operated by IPRoyal, a proxy company that will sell you residential proxy connections for $1.75\/GB, and advertises \u201c100% ethically sourced IPs\u201d.<\/p><\/blockquote>\n IPRoyal is apparently overconfident, at best, about its “100% ethically sourced IPs” claim. The company boasts of more than 8 million IP addresses. <\/a>Pawns, for its part, advertises that its clients (evidently including the current NightOwl developer) can get paid up to $2 per month, per unique IP address.<\/p>\n And what precisely could such a “residential proxy” service do? It could route its clients’ Internet traffic through any computer with the software installed.<\/p>\n And why might a client want to pay for such a proxy service? Perhaps to do sketchy things\u2014such as making malicious edits to Wikipedia to spread disinformation, creating social media accounts en masse for fake engagement, or even accessing illegal pornography\u2014all of which appear to originate from your home or workplace<\/strong>.<\/p>\n So, in a worst-case scenario, you could potentially be investigated and arrested for crimes you did not commit, all because of software on your computer that you didn’t even know existed.<\/a><\/p>\n The recent press coverage about NightOwl typically just links back to Robinson’s blog post from June, offering little additional information. The likely source of the sudden interest is an August 8 post<\/a> on Y Combinator’s Hacker News. From there, the story seems to have been picked up by several online tech publications.<\/p>\n Due to this new attention, the current NightOwl developer gave a statement to HowToGeek<\/a> that reads, in part:<\/p>\n “Given some users high level of concern we are working to give users an option to opt out of this. If we are able to re-release the app we will either completely remove this SDK or give an easy option for disabling. We apologize for the inconvenience and concern created.”<\/p><\/blockquote>\n Around this time the download was made unavailable on the NightOwl website.<\/p>\n While an opt-out is a start, this is not the best approach. “Opt in” would be preferable, as the user must manually check a box to enable the functionality. It also isn’t clear from that statement whether the company plans to make the potentially undesirable behavior much more apparent to end users, with notifications upon installation or upgrade.<\/p>\n The desire to somehow make money from NightOwl or any app makes sense, but it’s important to do so in a fully transparent and ethical way. At the time the company acquired NightOwl, TPE.FYI LLC communicated to the original developer that it would use normal, ethical methods of monetizing the app, namely a subscription model with more advanced features.<\/a><\/p>\n NightOwl’s original developer, Benjamin Kramser, makes the following statement on his site<\/a>:<\/p>\n “Nightowl got acquired by TPE.FYI LLC in November 2022<\/strong><\/p>\n “Due to time constraints, I could no longer personally continue the development of NightOwl. Therefore, in November 2022, I made the decision to sell my beloved tool to ‘TPE.FYI LLC’. This decision was made with the understanding that new (Pro) features and a subscription model would be introduced. Unfortunately, ‘TPE.FYI LLC’ has opted to monetize the app by integrating a third-party SDK. This decision is not affiliated with me in any way, and I do not endorse it in any form.”<\/p><\/blockquote>\n We reached out to Kramser with follow-up questions, and he responded:<\/p>\n “I regret the current situation surrounding NightOwl.<\/p>\n “There’s not much I can add to what has already been communicated on my website. I can only supplement that TPE.FYI didn’t approach me [to buy NightOwl] actively on their own initiative. As described on the website, due to time constraints, I was actively searching for a developer\/company to continue the project and provide users with new features.”<\/p><\/blockquote>\n Unfortunately, the company that acquired NightOwl appears to have not stayed true to its word about how it would monetize the app; either that, or perhaps another developer took over the project after TPE.FYI was reportedly dissolved.<\/a><\/p>\n The current NightOwl developer has updated the nightowlapp.co site with a pop-up message stating the following:<\/p>\n “We want to address recent claims that NightOwl contains malware. We want to assure you that these claims are inaccurate and false. Our app does not contain any form of malware. The concerns raised are based on a mistaken identification, and we are actively working with all major antivirus companies to rectify this situation promptly.<\/p>\n “Your security and trust are of utmost importance to us. We kindly ask for your patience as we address this matter with the necessary parties. Thank you for your understanding.”<\/p><\/blockquote>\n We reached out via e-mail with follow-up questions. In a reply to Intego, NightOwl’s current developer added:<\/p>\n “It is of crucial importance to us that our users feel comfortable and informed about the usage of NightOwl.<\/p>\n “We have partnered with a highly reputable residential proxy service to monetize NightOwl. We added their SDK to the backend of the app that allows our partner’s users to send some requests through the NightOwl user\u2019s IP address. It’s important to note that we solely collect users’ IP addresses. No other user data is collected. We have disclosed this in our terms and conditions.<\/p>\n “We understand that some users have expressed concerns about this, and we apologize for any inconvenience or worry this situation may have caused. In response to this feedback, we are actively working to provide users with an option to opt out. Should we have the opportunity to re-release the app, we are committed to implementing a straightforward method for users to disable this feature.<\/p>\n “Our team is dedicated to resolving this matter swiftly and effectively, ensuring that NightOwl can once again be enjoyed by users without any reservations. <\/a>We greatly value the trust our users place in us and want to assure them that their satisfaction, security, and privacy remain our utmost priorities.”<\/p><\/blockquote>\n When asked whether they disputed any of the claims in Robinson’s blog post, the company stated:<\/p>\n “Yes, we dispute the claims made in the post regarding (a) that this blogger contacted us for comment, they did not. If concerns had been raised directly we would have happily addressed and them. (b) that this is a botnet or in some way malicious. It is not malicious. <\/a>We made some mistakes in the implementation that we have been working to resolve for several weeks already.”<\/p><\/blockquote>\n Intego also asked whether the developer intends to re-release NightOwl under a different developer ID, since Apple appears to have blocked the previous account. The company responded:<\/p>\n “Our dev team has made several changes related to the concerns in this blog post and are taking the feedback we are receiving from ESET, Microsoft, etc. We hope that we can solve these issues with the antivirus companies and with our Apple Developer account and push an update that solves these problems. If we are not able to we will likely shut down NightOwl or we will sell it.”<\/p><\/blockquote>\n This seems to imply that, at least for the time being, the company does not plan to attempt to obtain a second Apple developer account under which to re-release the app\u2014at least not without first making changes to try to comply with Apple’s terms of service. Perhaps the company might change its approach if it’s unable to return to Apple’s good graces.<\/p>\n When asked whether the company plans to continue using tinyproxy, Pawns, or similar frameworks or monetizable behavior in NightOwl, the company responded, “If we are able to distribute the NightOwl app again we will look at all legitimate monetization options that are available.” <\/a>Presumably, this may include continuing to use Pawns, since the company considers it “highly reputable.”<\/p>\n The developer had stated earlier that “we are actively working to provide users with an option to opt out.” We sought further clarification. Was their intention to change the monetization functionality to an opt-in or opt-out model going forward?<\/p>\n They stated, “If we are able to distribute the app again we will definitely make this feature optional and clear as to what it does.”<\/p>\n This sounds like an improvement, but doesn’t clearly indicate the developer’s intentions. It’s unclear from this statement whether users will have to opt in to enable monetization features, <\/a>or whether the functionality will remain enabled by default, requiring users to take action to opt out.<\/p>\n We also asked several other follow-up questions. Here are our questions and their responses:<\/p>\n Q.<\/strong> How do you plan to earn back the trust of NightOwl users? Q. <\/strong>Will you rectify the alleged GPL violation over the use of tinyproxy? Q. <\/strong>What have you learned from this experience? How will your company’s business practices change going forward? In a later e-mail, we also asked whether TPE.FYI LLC is the current owner of NightOwl. We noted that the company name is nowhere to be found on the nightowlapp.co Web site, and public records seem to indicate that the company was dissolved around the same time that the new monetization behavior appears to have been implemented. As of publication time, the current developer had not responded to this inquiry.<\/p>\n Oddly, the current developer’s site continues to strongly imply that Kramser is still developing NightOwl. The app’s homepage contains the original developer’s story, “Why I developed NightOwl,” without offering any indication that Kramser is no longer involved with the project.<\/a><\/p>\n So is NightOwl malware or not? In our brief testing, we have not observed direct evidence that the software itself is overtly malicious or directly dangerous to users, so it does not appear to meet the strictest definition of harmful malware.<\/p>\n However, broader definitions of malware can include software with behavior that some users would find undesirable, objectionable, deceptive, or a violation of trust.<\/p>\n The current version of NightOwl does properly fall under the category of “potentially unwanted apps” (PUA, also known as “potentially unwanted programs” or PUP). This is specifically because of the unrelated background functionality of NightOwl that has nothing to do with its stated purpose, and which isn’t perfectly transparent to users.<\/p>\n The app should have informed users\u2014either upon upgrading from a version by the original developer, or upon initial installation\u2014that the app contained functionality designed to earn revenue for the current developer by utilizing the user’s computer and Internet connection. Ideally, this would have been presented to the user in an explanatory dialog box, with the functionality disabled by default, requiring the user to click a checkbox to “opt in” to monetarily support the developer.<\/p>\n If the developer really wanted some kind of payment from its users, another alternative could have been to switch the app to a paid model, or a “freemium” model that offered additional features with a paid upgrade.<\/p>\n Defaulting to behavior such as Internet connectivity sharing, cryptocurrency mining<\/a>, injecting ads<\/a>, or similar\u2014without verifying that the user understands the implications and can change their mind later\u2014is arguably a less-than-ethical practice. Such behavior often leads to security products detecting an app or some of its components as “potentially unwanted,” as was the case with NightOwl.<\/a><\/p>\n In this case, NightOwl\u2014a popular and perfectly legitimate app\u2014changed ownership, after which a new owner introduced potentially unwanted changes the end-user was likely not aware of. The app updated and continued to work, so why would users go looking for updated terms of service?<\/p>\n You might recall that back in 2016, a threat actor replaced a legitimate BitTorrent client, Transmission, with a modified version<\/a> on the company’s official servers. Users who updated the app during that time wound up with their Macs infected with malware. Five months later, the same thing happened again<\/a>; the same legitimate app was compromised by a threat actor twice in the same year.<\/p>\n The stories of NightOwl and Transmission are very different in terms of both who was responsible for the apps’ changes and the level of potential harm imposed by those changes. However, both stories are similar in that users downloaded an app that was supposed to be safe based on past experience, but it turned out to have been modified with unexpected and undesirable functionality.<\/p>\n In May of this year, we reported<\/a> on the Intego Mac Podcast<\/a> that nearly three dozen browser extensions in the Chrome Web Store contained search-hijacking code. Some of the extensions had contained that unadvertised malicious functionality for nearly two years before Wladimir Palant blogged about the problem<\/a>, and Google finally took them down. But in the mean time, those 34 extensions had amassed 87 million users.<\/p>\n Intego’s Chief Security Analyst, Josh Long, pointed out on the podcast that sometimes this sort of thing happens “when a developer stops working on an extension or app, [and] someone else comes along and offers the developer a bunch of money and says, ‘Here, I\u2019ll take over development.’ And then they start developing it and add malicious things to it.” While it’s unclear whether that may have been the case with the 34 Chrome extensions, it has certainly happened before, and will inevitably happen again\u2014quite possibly with other Mac apps<\/strong>.<\/p>\n In fact, just days ago, the developer of a Chrome extension with 300,000 users spoke out about having received more than 130 solicitations to “monetize” his extension<\/a><\/strong>. If cybercriminals can find a way to infect or exploit hundreds of thousands of users at once, wouldn’t you expect them to at least try? And wouldn’t you expect that some developer, at some point, will take the bait, perhaps not fully understanding what they’re getting into? This is a serious problem, and it’s not going away anytime soon.<\/a><\/p>\n\n
\n
\n
\n
What is NightOwl?<\/h3>\n
What events led to Robinson’s blog post in June?<\/h3>\n
Does NightOwl really join Macs to a botnet?<\/h3>\n
What is a botnet?<\/strong><\/h4>\n
Does NightOwl include bot-like functionality?<\/strong><\/h4>\n
What other behavior does NightOwl engage in?<\/strong><\/h4>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/08\/NightOwl-download-pop-up-original.png\")
<\/p>\nResidential proxy services could get you into trouble with the law<\/strong><\/h4>\n
Why is this suddenly a hot topic in August?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/08\/NightOwl-download-pop-up-not-available.png\")
<\/p>\nWhat does NightOwl’s original developer think about the situation?<\/h3>\n
What does NightOwl’s current developer have to say?<\/h3>\n
The developer disputes some of Robinson’s claims<\/strong><\/h4>\n
The developer’s plans moving forward<\/strong><\/h4>\n
Will monetization functionality be opt-in, or opt-out?<\/strong><\/h4>\n
Additional Q&A with the current NightOwl developer<\/strong><\/h4>\n
\nA.\u00a0<\/strong>We will add more clarity around our monetization practices.<\/p>\n
\nA.\u00a0<\/strong>Yes, definitely. That has already been addressed if we were allowed to push an update.<\/p>\n
\nA.<\/strong> We have taken several painful lessons from this experience that we will use to try and improve our practices and communication with our customers.<\/p>\nIs NightOwl malware, a PUA, or something else?<\/h3>\n
A cautionary tale: good apps can take a turn for the worse<\/h3>\n