Security Screen-Capture – Investigating Random Shutter Sound

malwarescreen captureSecurityvirus

Every once in a while I hear a loud sound from my Mac. It sounds like either a camera shutter or a keychain lock/unlock. It all started a couple of weeks ago.

I fear something is snapping shots of my screen and beaming them somewhere.

I've scoured Google and found others have experienced the same issue. Based on suggestions, I've installed 2 Anti Virus apps (one at a time, of course), scanned my computer, and found nothing; checked Activity Monitor for unknown processes – none I could identify; looked at all the regular places (~/Library/LaunchDaemons, ~/Library/LaunchAgents, /Library/LaunchAgents) – didn't see anything out of the ordinary.

What am I missing, what else should I try, or am I just overreacting and there's a simple answer?

Best Answer

Your search for the origin of this sound may progress on 2 paths: which application produces it and which sound is it.

Which application?

Here is an easy way to control if this sound is coming from a standard screen capture.

Type the following command twice:

ls -lu /usr/bin/screencapture

First, whenever you want. Next time, just after you heard the shutter sound.

This command will display you the time when this command was last run.

Which sound?

Quick identification

Here is a 1st attempt to be sure of which sound is used. You can't try to recognize a sound by firing an application and trying all the sound it can produce with its graphical interface.

The only practical approach is to use fast command lines just after you heard your unsolicited sound. Open a Terminal or xterm window and enter as is these 4 lines of command defining short name functions to test 4 approaching sounds:

shutter() { afplay '/System/Library/Components/CoreAudio.component/Contents/Resources/CoreAudioAUUI.bundle/Contents/Resources/Grab.aif' ; }
lock() { afplay '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockClosing.aif' ; }
unlock() { afplay '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockOpening.aif' ; }
safe() { afplay '/System/Library/Components/CoreAudio.component/Contents/Resources/CoreAudioAUUI.bundle/Contents/Resources/Sticky Keys Locked.aif' ; }

On Mountain Lion, these sounds have moved. Then these functions have to be defined with:

shutter() { afplay '/System/Library/Components/CoreAudio.component/Contents/SharedSupport/SystemSounds/system/Grab.aif' ; }
lock() { afplay '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockClosing.aif' ; }
unlock() { afplay '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockOpening.aif' ; }
safe() { afplay '/System/Library/Components/CoreAudio.component/Contents/SharedSupport/SystemSounds/accessibility/Sticky Keys Locked.aif' ; }

Keep this window open, and as soon as you hear the unsolicited sound, fire these four commands in turn to hear which one was played:

shutter
lock
unlock
safe

Next, to be sure, you can once more verify the access time of the identified sound file with the -lu options of ls. For example, you can confirm that the lock sound was played with:

ls -lu '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockClosing.aif'

Deep search

If this quick approach fails, here is a command to identify the file which was used by the system to play a sound within the preceding hour (-atime -1h):

find /Library /System/Library \( -type d \( -name "iTunes" -o -name "GarageBand" -o -name "Apple Loops" \) -prune \) -o \( \( -name "*.aif*" -o -name "*.wav*" -o -name "*.m4a*" \) -atime -1h -exec ls -luT {} \; \) 2>/dev/null

If this command doesn't report anything, the next step will be to run the same deep search within your HOME directory:

find ${HOME} \( -type d -name "iTunes" -prune \) -o \( \( -name "*.aif*" -o -name "*.wav*" -o -name "*.m4a*" \) -atime -1h -exec ls -luT {} \; \) 2>/dev/null
Related Question