Announcement: Upgrade to macOS Mojave

With features like Dark Mode, Stacks, and four new built-in apps, macOS Mojave helps you get more out of every click. 
Find out how to upgrade to macOS Mojave > https://support.apple.com/macos/mojave

Question:

Question: "com.apple.fonts" popup

Anytime that i open up an application I always get a popup prompt that reads


"com.apple.fonts" wants access to control [Application Name]. Allowing control will provide access to documents and date in [Application Name], and to perform actions within that app.


It's starting to get really annoying and I have looked everywhere online for solutions on how to get rid of this popup, but i have had absolutely no luck.


User uploaded file


Any help would be greatly appreciated!!!

MacBook Pro with Retina display, macOS Mojave (10.14)

Posted on

Reply

Page content loaded

Sep 28, 2018 5:56 PM in response to j2529 In response to j2529

Happening here as well. Called Apple support and spoke to a Senior Advisor who witnessed the problem through taking control of my screen. He then escalated the problem to engineering. Sent them my Capture Data info and am waiting to hear back. Interesting to note that the problem doesn't happen if I create a new test Admin account and login to that.

Sep 28, 2018 5:56 PM

Reply Helpful

Sep 28, 2018 6:04 PM in response to j2529 In response to j2529

A Safe Mode boot deletes system caches that might help ...



To start up in safe mode:


  1. Start or restart your Mac, then immediately press and hold the Shift key. The Apple logo appears on your display. If you don't see the Apple logo, learn what to do.
  2. Release the Shift key when you see the login window. If your startup disk is encrypted with FileVault.


To leave safe mode, restart your Mac without pressing any keys during startup.




Use safe mode to isolate issues with your Mac - Apple Support

Sep 28, 2018 6:04 PM

Reply Helpful

Sep 29, 2018 8:40 AM in response to Gabriel of Toronto In response to Gabriel of Toronto

That was a great suggestion. I created a test Admin account, logged into that, searched for "com.apple.fonts" and deleted it then logged back into my main account and the problem was gone. Hope it doesn't cause any other problems in the system, although I remember the Senior Advisor asking me to delete the file anyway, so it should be all good.

Sep 29, 2018 8:40 AM

Reply Helpful

Sep 29, 2018 10:53 AM in response to Gabriel of Toronto In response to Gabriel of Toronto

I've tried deleting it straight up off my computer, but every time that i try and move it to the trash it will not let me because it says that it is running.


Tried creating a test Admin account and get rid of it that way, but the problem popped up there too and not able to do anything.



Edit: I just went into the test Admin account again, renamed the file and then i was able to delete it.


Now the problem of the popup is gone on my main account. Fingers crossed it stays gone for good.

Sep 29, 2018 10:53 AM

Reply Helpful

Oct 4, 2018 5:01 PM in response to j2529 In response to j2529

I'm in the middle of helping a friend with this issue, and I think I have arrived at a disturbing conclusion: I think it's a covert key logger. If you look inside the com.apple.fonts.app bundle, the info.plist file contains this URL: http://www.widestep.com/fdbck/emailstore/submit.php?application=EliteKeyloggerMa c


First, in Terminal, run:

sudo rm /Library/LaunchAgents/com.apple.fonts.plist


Then, if the com.apple.fonts.plist process is still running, kill it in Activity Monitor or terminal.


And of course, run an anti-malware tool, and assume you've been compromised and change passwords.

Oct 4, 2018 5:01 PM

Reply Helpful

Oct 4, 2018 5:31 PM in response to Antonio Tejada In response to Antonio Tejada

Inside the com.apple.fonts application bundle, there's a log file indicating regular screenshots and web history parsing — but in my friend's case, only in 2014. I don't know whether it succeeded in uploading anything. There's also a large binary file of unknown contents.

Oct 4, 2018 5:31 PM

Reply Helpful

Oct 5, 2018 3:09 AM in response to Antonio Tejada In response to Antonio Tejada

I found the same thing - looks like a keylogger. Sophos picked it up and removed it for me.


As for the large file inside (binary.dat), it had a MIME type of image/jpeg so i renamed to jpg and found it was a screenshot...from 2014.


I cannot see any queries being made to the domain in question when looking at DNS and firewall logs, so not sure on whether it was active or not.

Oct 5, 2018 3:09 AM

Reply Helpful
User profile for user: j2529

Question: "com.apple.fonts" popup