- > Do Macs get attacked by viruses and malware?
- > How does Apple protect my Mac from malware?
- > Examples of Mac malware
- > How does Apple discover security vulnerabilities?
- > Do I need antivirus software for my Mac?
- > How to avoid malware by keeping macOS up-to-date
- > How to protect your Mac from malware
Are Macs secure? And if they are, do I really need to buy antivirus software for my Mac?
Do Macs get viruses? Do Macs need antivirus software? The short answers are yes (and no), and yes (and no). In this article we look at the dangers faced by Mac users, and the pros and cons of using Mac antivirus software.
The Mac is generally considered to be safe and secure, and there are a number of reasons why Macs are considered more secure than PCs. Malware writers are less likely to target Mac users because of the perception that it has a far smaller market share than Windows. There is also the fact that the Mac operating system is Unix-based, and Unix offers a number of security features built in.
In addition, Apple has included a number of security measures that make attacking a Mac particularly challenging. These include Gatekeeper, which blocks any software than hasn't been digitally signed and approved by Apple from running on your Mac without your agreement.
However, there are still risks and from time to time Macs have become targets. We outline some of the attacks below.
This is one of several in-depth Macworld articles dealing with Mac security. If you're looking for AV buying advice, read our roundup of the Best Mac antivirus; general advice can be found in our Mac security tips; and those who have been hit by a malware attack should try How to remove Mac viruses and How to remove Mac ransomware.
Do Macs get attacked by viruses and malware?
Yes, they do. Numerous Mac viruses and Mac-specific attacks have been documented.
But let's be clear, first of all, that Macs are indisputably more secure than Windows PCs. The Mac operating system is Unix-based, and Unix offers a number of security features built in, like the way that executable code and data is stored in separate folders. (This is why deleting an app on a Mac is so simple.) In addition, Apple has included a number of security measures that make attacking a Mac particularly challenging, including Gatekeeper, which blocks any software than hasn't been digitally signed and approved by Apple. If you try to open an app by a developer that Apple hasn't verified you will see the message: "[This app] can't be opened because it is from an unidentified developer."
Read more about why Macs are safer than PCs here.
Since Macs represent a smaller and more challenging target, it's inevitable that a lot less malware is written for the Mac than for the PC. But there is Mac malware out there, and some of it is dangerous. We'll look at some of the more noteworthy Mac attacks and malware now, but bear in mind when reading about Mac malware that such things are headline news because they are comparatively rare.
How does Apple protect my Mac from malware?
Apple goes to great lengths to protect you from malware by making it impossible for you to download it in the first place. The company has built-in anti-malware protection in Mac OS X and macOS. For example, before you can open a file your Mac will check it against a list of malware, and even if there is no reason for concern there, it will not allow you to open an application from a developer that it hasn't already hasn't approved.
The Mac's malware scanning tool, Xprotect, works invisibly and automatically in the background and requires no user configuration. Apple has a list of malicious applications that it checks against when you open downloaded applications. Updates happen invisibly too. This is similar to having antivirus software from another software developer running on your Mac, with the bonus of being written into the operating system and therefore it doesn't hamper the speed of your Mac.
If you download and try to open files contaminated with malware, you may see an explicit warning that the files will "damage your computer", along with a reference to type of malware. You should delete the file immediately.
In addition, macOS blocks downloaded software that hasn't been digitally signed - a process in which Apple approves the developer. This leads to the familiar error message when you try to use or install unsigned software: "[this app] can't be opened because it is from an unidentified developer."
The system at work here is called Gatekeeper and can be controlled via the Security & Privacy section of System Preferences - select the General tab and choose from the options underneath Allow Applications Downloaded From. To turn it off, click Anywhere.
Setting this option to Mac App Store and Identified Developers is the best plan. All software downloaded via the App Store is signed, so you'll only see Gatekeeper warnings with a minority of apps you've downloaded manually. You can bypass its protection when needed - assuming you're sure an app or installation package is safe, just hold down Ctrl, then click it and select Open. This will mark it as being trusted.
Software that is approved by Apple is also Sandboxed, which means apps do only what they’re intended to do. App sandboxing isolates apps from the critical system components of your Mac, your data and your other apps, so they shouldn't be able to access anything that could allow them to do any damage.
There's also anti-phishing technology in Safari that will detect fraudulent websites. It will disable the page and display an alert warning you if you visit a suspect wesite.
You'll also notice that plug-ins such as Adobe Flash Player, Silverlight, QuickTime and Oracle Java won't run if they aren't updated to the latest version - another way of ensuring your Mac is safe.
In addition to Gatekeeper, which should keep malware off you Mac, FileVault 2 makes sure your data is safe and secure by encrypting it.
Examples of Mac malware
Despite Apple's best efforts, Mac malware does exist, we describe some cases below...
Apple is also sometimes in a race against time to update the list of malware in its Xprotect file, leaving the system exposed for a few days. And in the past there have been flaws delected in the OS that could allow access to your Mac, such as the SSL error that meant it was possible for a hacker to access your machine if you were using public WiFi, more on that below.
From time to time you will hear of big profile trojans, malware, and ransomware that is targetting the Windows world, very rarely is this a threat to Macs. For example, the WannaCry/WannaCrypt ransomware that bought the NHS to its knees in May 2017 was only targetting Windows machines and therefore no threat to Macs.
Security analysis firm CheckPoint Software Technologies spotted a new OS X malware at the end of April 2017.
Apple rushed to block it.
The macOS Trojan horse appeared to be able to bypass Apple’s protections and could hijack all traffic entering and leaving a Mac without a user’s knowledge - even traffic on SSL-TLS encrypted connections.
OSX/Dok was even signed with a valid developer certificate (authenticated by Apple) according to CheckPoint’s blog post. It is likely that the hackers accessed a legitimate developers’ account and used that certificate. Because the malware had a certificate, macOS’s Gatekeeper would have recognized the app as legitimate, and therefore not prevented its execution. Apple has since revoked that developer certificate and updated XProtect, it’s malware signature system.
The attacker could gain access to all victim communication by redirecting traffic through a malicious proxy server, there's more information about how the attack worked here.
OSX/Dok was targeting OS X users via an email phishing campaign. The best way to avoid falling fowl to such an attempt in the future is not to respond to emails that require you to enter a password or install anything.
It's thought to be the work of the APT28 cybercrime group, according to Bitdefender.
OSX/Pirrit was apparently hidden in cracked versions of Microsoft Office or Adobe Photoshop found online. It would gain root privileges and create a new account in order to install more software, according to Cybereason researcher Amit Serper in this report.
You'll be asked to click to "remove" the adware, and when you enter your password on your Mac the MacDownloader malware will attempt to transmit data including your Keychain (so that's your usernames, passwords, PINs, credit card numbers) to a remote server.
Luckily the threat seems to be contained for now: the remote server it the malware tries to connect is now offline.
The best way to avoid such attacks is to always check on Adobe's site to see if there is an update to Flash you should be installing.
The MacDownloader malware is thought to have been created by Iranian hackers and was specifically targetted at the US defense industry. It was located on a fake site designed to target the US defence industry (so likely not yourself). In this case the phishing attempt would have been activated via a Flash file, and since Apple has stopped Flash opening by default, again this is unlikely to have affected you.
Word macro virus
PC users have had to contend with macro viruses for a long time. Applications, such as Microsoft Office, Excel, and Powerpoint allow macro programs to be embedded in documents. When these document are opened the macros are run automatically which can cause problems.
Mac versions of these programs haven't had an issue with malware concealed in macros because since when Apple released Office for Mac 2008 it removed macro support. However, the 2011 version of Office reintroduced macros, and there has now been malware discovered in a Word macro, in a Word doc about Trump.
If the file is opened with macros enabled (which doesn’t happen by default), it will attempt to run python code that could have theoretically perform functions such as keyloggers and taking screenshots. It could even access a webcam. The chance of you being infected in this way is very small, unless you have received and opened the file referred to (which would surprise us), but the point is that Mac users have been targeted in this way.
Mac users should still be fairly safe from macros thanks to a warning that appears on screen should a user attempt to open a document containing macros.
According to a report in January, the Fruitfly malware had been conducting surveillance on targeted networks for possibly two years.
The malware captures screenshots and webcam images, as well as looking for information about the devices connected to the same network - and then connects to them.
Malwarebytes claims the malware could have been circulating since OS X Yosemite was released in 2014.
Apple is already detecting Firefly via own built in anti-malware tool. Apple has all the malware definitions in its XProtect file which sits on your Mac, and everytime you download a new application it checks that none of those definitions are present. This is part of Apple's Gatekeeper software that blocks apps created by malware developers and verifies that apps haven’t been tampered with.
KeRanger is ransomware. Ransomware is, in general, a sub-category of malware that involves dodgy software sneaking itself on to your computer and then encrypting files against your wishes. You'll then be left with two apparent options: never be able to access those files again, or pay the 'ransom' to decrypt them. (Ransomware is one of the terms defined in our Apple jargon buster.)
For a long time ransomware was a problem that Mac owners didn't have to worry about, but March 2016 saw the appearance of the first ever piece of Mac ransomware KeRanger, distributed along with a version of a piece of legitimate software: the Transmission torrent client. Transmission has since updated to remove this malware (and Apple has taken steps of its own) but not before a number of unlucky users got stung.
The KeRanger attack runs from a file named OSX.KeRanger.A. The KeRanger file somehow snuck itself into the Transmission 2.90 update and would be installed alongside it. If you were unlucky enough to have downloaded and run Transmission 2.90, you would also run the KeRanger file.
Chances are you are safe, even if you do use Transmission: the KeRanger file would only have been present in the download on the Transmission website between 4-5 March.
Apple has since revoked the GateKeeper signature and updated its XProtect system (part of File Quarantine) to block KeRanger.
But if you are using Transmission, you must upgrade to the latest version, Transmission 2.92, immediately. You'll find more information about KeyRanger on the Transmission website.
Palo Alto Network's Claud Xiao and Jin Chen explain how KeRanger works:
"The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple's Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to be still under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
"Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems."
If you want to make sure you don't get caught out by KeRanger - and how to remove a range of other malware attacks - read How to remove Mac malware, viruses and ransomware for free.
In November 2016, and accelerating into the New Year, the security company Malwarebytes started documenting Mac-targeted denial-of-service attacks originating from a fake tech support website.
Like many Mac-targeted attacks, it depends on 'social engineering' or user error: you click a link in an email, and the malware is smuggled on to your Mac. This then triggers the attack.
There are two versions of the attack; the one you get depends on your version of macOS. Either Mail is hijacked and forced to create vast numbers of draft emails, or iTunes is forced to open multiple times. Either way, the end goal is to overload system memory and force a shutdown or system freeze.
Screenshot courtesy of Malwarebytes
(In fact, the real end goal is to get you to call a bogus Apple support number, whereupon you will presumably get charged to hear a fake solution by the people who caused the problem in the first place.)
You can avoid this issue, fortunately, by updating macOS: Malwarebytes suspects that Sierra 10.12.2 includes a patch for this, since up-to-date machines were not affected by the problem in testing.
SSL , Gotofail error
This caused issues for Mac users back in 2014. The problem was with Apple's implementation of a basic encryption feature that shields data from snooping. Most websites handling sensitive personal data use SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which establishes an encrypted connection between a server and a person's computer so that snoopers cannot read the traffic and extract information like credit card numbers or log-in credentials. If an attacker intercepts the data, it is unreadable.
However, Apple's validation of SSL encryption had a coding error that bypassed a key validation step in the web protocol for secure communications. There was an extra Goto command that hadn't been closed properly in the code that validated SSL certificates, and as a result, communications sent over unsecured Wi-Fi hot spots could be intercepted and read while unencrypted. This could potentially expose user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Criminals could also supply fake data that makes it appear an authentic web service has been cryptographically verified.
These kinds of attacks are known as a man-in-the-middle attack and it is a form of eavesdropping in which a hacker makes an independent connection between a client and its destination server. The hacker is then able to relay messages between them, making the client and server believe they are talking to each other over a private connection.
In order for this type of attack to be possible, the attacker would have to be on the same public network.
Apple quickly issued an update to iOS 7 and iOS 6, but took longer to issued an update for Mac OS X, despite Apple confirming that the same SSL/TSL security flaw was also present in OS X. Read more about the iPad and iPhone security flaw here.
Apple said it had a fix ready for OS X and would release it "very soon". The fix came late the following night.
Touch Bar hacks
At the 2017 Pwn2Own hacking contest, Samuel Groß and Niklas Baumstark were able to hijack the Touch Bar display on a 2016 MacBook Pro through a flaw in Safari which allowed them to gain root control of macOS.
It probably isn't worth worrying about - any hacker who has access to your Mac and the skills which would let them break into the Touch Bar can do a lot more damage than displaying a funny message, and Apple will plug the flaw in a software update - but it's an interesting and impressive demonstration.
How does Apple discover security vulnerabilities?
To this end, Apple has an incentive programme that rewards such discoveries with payments of up to $200,000, depending on the seriousness of the flaw. But it was the last major tech company to set up such a scheme. (Microsoft set up its own bug-reporting incentive programme in 2013, and was itself criticised at the time for leaving it so late.)
On 4 August 2016, Apple security boss Ivan Krstic announced the Apple Security Bounty Program. "We've had great help from researchers in improving iOS security all along," Krstic said. "[But] we've heard pretty consistently... that it's getting increasingly difficult to find some of those most critical types of security vulnerabilities. So the Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple."
The top reward is $200,000, given to those who discover vulnerabilities in Apple's secure boot firmware components; for less critical flaws the bounties drop through a series of smaller figures to a bottom tier of $25,000. Wired has the details.
We imagine most Mac users will be pleased to hear that Apple has finally launched an incentive programme to encourage more widespread reporting of its vulnerabilities. Incentivising security researchers to let Apple know about a flaw instead of passing it on to hackers (which may still, sadly, be more lucrative) makes Apple products safer for everyone.
Do I need antivirus software for my Mac?
It's certainly not an essential requirement to install antivirus software on your Mac. Apple does a pretty good job of keeping on top of vulnerabilities and exploits and the updates to the MacOS that will protect your Mac will be pushed out over auto-update very quickly.
However, sometimes Apple doesn't respond as quickly as Mac users might hope. In that case there are some free anti-virus apps that might give you some peace of mind.
Sophos Anti-Virus for Mac Home Edition offers always-on virus protection for free, meaning that the app sits in the background and immediately alerts you should an infection take place.
If you would like anti-virus software on your Mac, we look at the best options in our Best Mac antivirus software group test.
Should I install MacKeeper?
Whether Macs need an antivirus is still open to debate, but increasing numbers of Mac owners feel the need to install one - so much so that in 2011 one of the biggest Mac malware infections was via a fake antivirus app called MacDefender.
Another Mac antivirus company that is often thought of as unscrupulous is MacKeeper. There are various reports that suggest it is a scam or at worst malware. However, according to reports MacKeeper is not a scam, but unfortunately its aggressive advertising leads many to believe that it is, and perhaps it is unfortunately named (too similar to the fake antivirus app above). There are also complaints that it is difficult to uninstall.
How to avoid malware by keeping macOS up-to-date
Keeping your Mac software up to date is the best way to protect against malware, although sometimes, albeit rarely, a software update can lead to vulnerabilities.
For example, Apple issued a patch for the gotofail bug in an update to OS X Mavericks. Mac users running Mavericks were advised to update to OS X 10.9.2. Apple updates the Mac operating system yearly, so Mac OS X Mavericks has since been replaced by macOS Sierra, but checking regularly for OS updates remains a key part of a sound security strategy.
The 460MB-860MB update (depending on your system) patched the vulnerability along with 32 other vulnerabilities in Mac OS X. These vulnerabilities include six in QuickTime and four that could be used to bypass sandboxing. Sandboxing - a requirement for all apps sold in the Mac App Store - restricts apps from accessing files and data in other apps, as well as other network resources, protecting the user.
Along with the vulnerability patches in OS X 10.9.2, Apple also provided several non-security fixes to deal with reliability, stability and performance issues, as well as a few that beefed up some integrated features and tools.
Check if your system is up to date by clicking on the Apple logo in the top left of the menu bar. Then click About This Mac.
How to update your Mac software
If you are running an older version of the Mac OS head to the Mac App Store and click on the Updates tab. Wait while your Mac searches for updates. You may have to wait a couple of minutes before the new update showed up.
Once the update appears, click Update.
You will need to restart your computer once the update has downloaded. You can expect a typical 460MB download to take about 8 minutes (during which time you will still be able to work) but for a large update you will have to restart and install and that could take as much as 20 minutes, bringing the total install time to about 25 minutes in total.
For our in-depth guide to updating Mac operating systems, see How to update macOS.
How to get updates automatically
macOS can update automatically in the background - both system updates and any apps installed via the App Store. Bearing in mind hackers have been known to exploit bugs that get fixed via updates, enabling this feature is a good idea and can be done by opening System Preferences, then clicking the App Store icon. Ensure there's a check alongside Automatically Check for Updates, and tick the three boxes beneath, which will enable downloading and installation of updates.
Some updates might require a reboot, in which case you'll see a notification message telling you so. To view which updates have been applied recently, open the App Store app, then click the Updates icon.
I can't update my Mac - is my Mac safe?
As in iOS, the Mac OS X Mavericks flaw is limited to SSL connections over unsecured Wi-Fi networks, in Safari (Firefox, Chrome and other browsers are said to be secure.) However, other Apple and non-Apple applications are said to be affected, including Apple's Mail, FaceTime, Calendar, Keynote, and iBooks. Third-party applications, such as the desktop Twitter application and possibly VPN (virtual private network) connections, are also said to be affected, depending on their configurations, according to Ashkan Soltani, an independent privacy and security researcher.
The danger is mitigated somewhat since an attacker must be on the same network as the victim. However, you could be open to attacks if you are using a shared network and someone is snooping on that network. This could be someone in your local Starbucks.
Secured Wi-Fi networks, such as home and business networks with encryption enabled, are not affected.
If you can't yet install Apple's fix here are some tips for using your Mac safely.
1. Don't connect to public Wi-Fi networks.
2. The flaw affects any application on the Mac that uses SSL/TLS, including Safari, messaging apps and even Apple's software update, so avoid using iMessage
3. Don't use Safari. Use alternative browsers like Chrome and Firefox. The browsers Chrome and Firefox are not affected because they use NSS, which is a different set of cryptographic libraries for client and server communications.
How to protect your Mac from malware
Despite the flaws and attacks described above, Macs are generally a lot safer than PCs. As we mentioned at the beginning of this article, there are a few reasons why Macs are more secure than PCs. One is the simple fact that malware developers are less likely to direct their attention to the Mac because of the perception that it has a far smaller market share than Windows. However, even more significant is the fact that the Mac operating system is Unix-based.
There are a number of safety features built into MacOS, for tips on how to use these features to keep your Mac save from viruses read our Mac security tips.
However, there are a few things worth doing to make sure you are completely secure when using your Mac.
How to turn on your Mac Firewall
The firewall defends your Mac against unwanted incoming connections from the Internet or other computers on the network.
Check to ensure the firewall's enabled by opening System Preferences and selecting the Security & Privacy option. Click the Firewall tab and ensure it reads Firewall: On. If not, click the Turn On Firewall button. For fine-grained control over which apps are protected, click the Firewall Options button.
Steer clear of browser plug-ins
Recent vulnerabilities with the Java and Flash plug-ins have highlighted the fact that there are cross platform threats that even Mac users need to be aware of. If there's a major malware outbreak exploiting a buggy plug-in, XProtect will automatically disable it until an update is installed. Additionally, Safari in Mavericks lets you control what sites can use individual browser plug-ins. A policy of denying all sites plug-in access is a good one, unless they absolutely can't function without them.
To set permissions, open the Preferences dialog (Cmd+comma) and click the Security icon, then click the Manage Website Settings button. Select the plug-in on the left, then click the dropdown alongside When Visiting Other Websites to set overall permissions, or select the site within the list to set individual permissions.
Avoid installing the Oracle Java Runtime software if you can but if you have no choice, or you've already installed it in the past, it's a good to turn off its browser plug-in. To do so, open Java within System Preferences, click the Security button of the window that appears, and ensure there isn't a tick alongside Enable Java Content In The Browser.
Store passwords online with iCloud Keychain
Keychain is the OS X system tool that remembers usernames and passwords for websites, apps and even system tools like Wi-Fi.
With OS X Mavericks the Keychain data can be backed up to iCloud, and also synced across any iOS 7 devices or Macs running Mavericks. This is clearly useful but raises security concerns. Apple says it uses "industry-standard encryption techniques" to store and transmit this sensitive password data, adding that the data "cannot be read by Apple". Additionally, Apple never co-operates with government collection of data.
iCloud Keychain works in two slightly different ways, depending on whether you configure a security code while setting it up. With a code your Keychain data is backed up in iCloud. If you opt not to create a code, your Keychain data is merely synced across iOS devices and Macs. Backup in iCloud is a good insurance policy against theft of your device(s) or Mac(s).
To setup iCloud Keychain on a Mac, open System Preferences and click the iCloud icon. Put a tick alongside the Keychain box in the list. After entering your Apple ID password (not your Mac login password!), you'll be prompted to enter a 4-digit numeric security code. To avoid doing so, or to if you worry a 4-digit PIN isn't enough protection, click the Advanced button. For a stronger passcode consisting of a word, numbers, or even a whole phrase, click Use a Complex Security Code. To avoid a security code entirely, and thereby deactivate iCloud backup of keychain data, click the Don't Create Security Code option.
Once you've entered a security code, you'll be invited to enter a mobile phone number. Additional security codes can be texted to this number should you attempt to recover your iCloud Keychain in future.
To give a new device or Mac access to your Keychain, access iCloud via the Settings app in iOS (or via System Preferences on another Mac), then tap the switch alongside Keychain (or put a tick on the box on the Mac). Then click Approve With Security Code, and type your security code when prompted.
Alternatively, or if you opted not to use a security code, return to the iCloud panel of System Preferences on your Mac to authorise new devices or Macs. This can be done by clicking the Details button alongside the Keychain heading and entering your Apple ID password.
Keep Java and Flash up to date on your Mac
Recent vulnerabilities with Java and Flash have highlighted the fact that there are cross platform threats that even Mac users need to be aware of. Over the past year Apple has taken to blocking Java and Flash via Xprotect. As a result of this you will find that from time to time Flash video and adverts disappear from your browser, and that Java based tools stop working.
Read more about the Java and Flash vulnerabilities and what they mean to your Mac and what to do to make sure you are safe. Best Mac antivirus.
Avoid falling fowl of phishing emails
Protect yourself from phishing attacks not responding to emails that require you to enter a password or install anything.
You could also use free software such as BlockBlock or XFence (formerly Little Flocker) installed. That way even you were to carry out the steps to launch the malware, it would not be able to write files or mark itself as launching on startup.