"com.apple.fonts" popup

That was a great suggestion. I created a test Admin account, logged into that, searched for "com.apple.fonts" and deleted it then logged back into my main account and the problem was gone. Hope it doesn't cause any other problems in the system, although I remember the Senior Advisor asking me to delete the file anyway, so it should be all good.

Kevin Kliesch wrote:

Forgot to mention that I tried that per the request of the Apple senior rep. Did not experience the problem in safe mode, but then after rebooting back into my main account, the problem was back again.

That indicates that it's some 3rd party software that's causing the problem. Download and run Etrecheck. Copy and paste the results into your reply. Etrecheck is a diagnostic tool that was developed by one of the most respected users here in the ASC and recommended by Apple Support to provide a snapshot of the system and help identify the more obvious culprits that can adversely affect a Mac's performance.

A Safe Mode boot deletes system caches that might help ...

To start up in safe mode:

1. Start or restart your Mac, then immediately press and hold the Shift key. The Apple logo appears on your display. If you don't see the Apple logo, learn what to do.
2. Release the Shift key when you see the login window. If your startup disk is encrypted with FileVault.

To leave safe mode, restart your Mac without pressing any keys during startup.

Use safe mode to isolate issues with your Mac - Apple Support

I'm in the middle of helping a friend with this issue, and I think I have arrived at a disturbing conclusion: I think it's a covert key logger. If you look inside the com.apple.fonts.app bundle, the info.plist file contains this URL: http://www.widestep.com/fdbck/emailstore/submit.php?application=EliteKeyloggerMa c

First, in Terminal, run:

sudo rm /Library/LaunchAgents/com.apple.fonts.plist

Then, if the com.apple.fonts.plist process is still running, kill it in Activity Monitor or terminal.

And of course, run an anti-malware tool, and assume you've been compromised and change passwords.

I found the same thing - looks like a keylogger. Sophos picked it up and removed it for me.

As for the large file inside (binary.dat), it had a MIME type of image/jpeg so i renamed to jpg and found it was a screenshot...from 2014.

I cannot see any queries being made to the domain in question when looking at DNS and firewall logs, so not sure on whether it was active or not.

Could the file "com.apple.fonts" just be straight up deleted from your computer? I've tried that a couple of days ago with no issue and everything seems to be back to normal so far.

Other users in com.apple.fonts.app alert keeps popping up after Mojave install reported success with Malwarebytes and Sophos. Somewhere else I saw reference to Intego.

Happening here as well. Called Apple support and spoke to a Senior Advisor who witnessed the problem through taking control of my screen. He then escalated the problem to engineering. Sent them my Capture Data info and am waiting to hear back. Interesting to note that the problem doesn't happen if I create a new test Admin account and login to that.

It’s not a bug in the OS. It’s malware (a key logger) attempting to gain access to the input to every single application that’s running. Somewhere in the replies I have instructions on how to remove it.

Hello Gabriel of Toronto

Get Malwarebytes,and make a test?

Its a good Malware Tool!

Regards Claus.

It’s confirmed that this is malware. Somewhere in the replies I describe how to remove it.

I have the same problem since I installed Mojave. It's sad that Apple didn't answered nor said they are investigating this problem yet. It appears each time I launch an App. If I close the App and relaunch it, it happens again.

Forgot to mention that I tried that per the request of the Apple senior rep. Did not experience the problem in safe mode, but then after rebooting back into my main account, the problem was back again.

Inside the com.apple.fonts application bundle, there's a log file indicating regular screenshots and web history parsing — but in my friend's case, only in 2014. I don't know whether it succeeded in uploading anything. There's also a large binary file of unknown contents.