What is Leap and is my Mac infected?

Darina Stavniychuk
Explaining complex stuff very simply. Passionate about writing.

There are numerous Mac-specific threats out there, and Leap is one of them. Today, we’ll explain what it is and, more importantly, how to remove Leap from Mac once and for all. 

What is Leap, and how to remove it from Mac?

Leap — also known as the Oompa-Loompa malware, or OSX/Oomp-A or Leap.A — is an application infection. Originally designed and released into the wild in 2006, it was created to spread over Local Area Networks (LANs). Unlike other viruses, this was created specifically for the Mac operating system.

Hence the discovery by the Apple security firm Intego back in 2006, it was only infecting — or ‘leaping’ — between Macs that are connected within a LAN, with the infection moving around through the Bonjour protocol. First released in 2002 under a different name, Bonjour is how macOS and iOS users communicate or share images and music using services such as iTunes, iChat, and iMessage.

New versions of Leap have been coming out every few years, evolving as Bonjour and other Apple systems evolve and improve. It has somehow managed to keep pace with the constant iterations and improvements that Mac’s in-built security systems have undergone.

How do I detect an infection?

Unlike other malware infections and worms, the user who’s downloaded the virus does so on the understanding that they’re downloading something they want. Unfortunately, this isn’t the case. Hidden behind an Apple image icon is a gzip-compressed tar file called latestpics.tgz.

Within this tar file is the hidden executable. It will then ask for your admin password, thereby giving it a backdoor to your Mac and infecting any programs it wants to access when they’re loading, using a system facility called “app hook.” Once the executable payload is activated, Leap wants to infect other Mac devices through the iChat system, going through the Bonjour protocol to reach other Macs.

However, the good news is that Leap doesn’t delete data, replace files, spy on you or your Mac, or even take control. Leap is a faulty infection, so although it can and does infect Mac devices, it has a bug that prevents it from opening and executing properly. It won’t launch as it should, which means it can’t do much more damage after getting into a Mac.

How to remove Leap: The manual guide

Now the only question is how to remove Leap? 

Even though it seems that this worm can’t do anything, the last thing your Mac needs is an infection that could act as a backdoor to other viruses that don’t have the same bug issues as a Leap.

Similar to other viruses, Leap leaves files all over a Mac.

Because we know it uses the system facility, Apphook, to take over applications, it can initially be found in the following locations: /Library/InputManagers/ directory (if run with root permissions) or /InputManagers/ directory (if run as a non-root user). These files then replace Apphook:

apphook/Info

apphook/apphook.bundle/Contents/Info.plist

apphook/apphook.bundle/Contents/MacOS/apphook

Infected files will now have the following attributes replacing the original credentials:

name: oompa

value: loompa

Temporary files are also created in the Applications folder with these names:

/tmp/pic.gz

/tmp/pic

/tmp/latestpics

/tmp/lastespics.tar

/tmp/lastespics.tar.gz

/tmp/lastespics.tgz

Now that you’ve got an idea of where Leap is hiding, you should be able to remove these unwanted files safely. As part of that, you will need to restore the system facility, Apphook, to how it was before the infection. This might mean downloading a new version.

After moving the Leap files and application executables to the trash, it is always a sensible move to restart your Mac. This should restore your Mac to full working order. However, always be careful when doing any of this to make sure you don’t delete anything you need for your Mac to work properly.

is megabackup a virus

How to remove Leap: Safe and easy way

If everything above sounds like too much work, there is another way to remove Leap using CleanMyMac X.

CleanMyMac X can remove dozens of Mac malware, worm, spyware, ransomware, adware, and other infections. It effortlessly improves the performance of your Mac. Restoring your computer to a near-brand-new state. Here is how you use CleanMyMac X to delete Leap:

  1. Download CleanMyMac X.
  2. Open the app.
  3. Use the Malware Removal tab.
  4. Click Scan — it will show you any viruses and malware applications.
  5. Click Remove, and they will vanish.
Scan completed in malware removal module of CMMX

Although Leap apparently doesn’t work, it’s still an infection your Mac doesn’t need, and that could cause other problems if left untreated. One way or another, this malware virus needs to be cleared out of your Mac so that it works effectively.

Did you enjoy this post?
Share it or subscribe to our newsletter
Darina Stavniychuk
Explaining complex stuff very simply. Passionate about writing.
May 13, 2019
Updated: August 18, 2023
Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.

Free Download

CleanMy® PC will not receive new features and regular updates.

What does it mean?

  • CleanMy® PC remains safe, stable, and fully functional on all PCs that meet the system requirements.
  • Windows 11 is the last operating system to be supported.
  • Only critical bugs in CleanMy® PC will be fixed in the future; no new features or improvements will be added.
Read the full information here. Download Anyway