- > What are the latest Mac viruses and threats?
- > How Apple protects your Mac from malware
- > When Apple's security measures aren't enough..
- > How Apple responds to security threats
- > How to keep your Mac safe from malware
- > Is antivirus software necessary for a Mac?
- > How to tell if my Mac is infected
Do Macs get viruses? Do Macs need antivirus software? The answer isn't as simple as it may seem. In this article, we look at the dangers faced by Mac users and the pros and cons of using Mac antivirus software.
The Mac has historically been considered to be safe and secure for a number of reasons, but in recent years that has shifted considerably. In fact, as Malwarebytes said in their report on the State of Malware here, they saw a: "Significant rise in the overall prevalence of Mac threats in 2019, with an increase of over 400 percent from 2018".
Malwarebytes added that: "Mac detections per endpoint increased from 4.8 in 2018 to a whopping 11.0 in 2019, a figure that is nearly double the same statistic for Windows. This means that the average number of threats detected on a Mac is not only on the rise, but has surpassed Windows".
According to the Malwarebytes report, of the top 25 threat detections in 2019 six were Mac threats and two of those broke into the top 5. The number two malware threat across all platforms was Mac adware known as NewTab.
So should Mac users start panicking now? To some extent there is reason for concern, but there are measures put in place by Apple at the operating system level that should protect Mac users from the worst malware threats. As we will discuss below, the Macs remains pretty secure thanks to a number of built-in security features that make attacking a Mac particularly challenging. These include Gatekeeper, which blocks software that hasn’t been digitally approved by Apple from running on your Mac without your agreement. More on those security features below.
However, the menace right now appears to be adware and potentially unwanted programs (PUPs), according to Malwarebytes who suggest that: "macOS’ built-in security systems have not cracked down on adware and PUPs to the same degree that they have malware, leaving the door open for these borderline programs to infiltrate".
That said, Malwarebytes does explain that due to the bad reputations of so called 'cleaning' apps such as MacKeeper and MacBooster the amount of Macs affected by those PUPs fell in 2019 compared to 2018. So it seems that people are at least wising up to these dodgy programs.
However, there is also the threat of malware designed to gain access to cryptocurrency, phishing attacks that come via email, adware that infiltrates your web browser, and other concerns. We will examine some of these below.
You might also want to read about issues with Thunderbolt which are discussed in this article: How to protect your Mac from the Thunderbolt security flaw.
Why is the threat to the Mac growing? One reason is the growing popularity of the platform, both with consumers and with those who wish to target the Mac. In the past, Mac users were less vulnerable to malware because there were far more PCs and therefore PCs were a more lucrative target.
With the increased interest in the Mac from the point of view of malware distributors, are the inbuilt protections in macOS enough, or should you install antivirus software on your Mac? Or is it too late and are you already infected by a virus on your Mac - find out how to tell if you have a virus on your Mac below. You can also go straight to our reviews of the best Mac antivirus software.
What are the latest Mac viruses and threats?
There are various ongoing threats to those using a Mac including phishing attacks, fake malware, adware, broswer hijackers, and more. Of those the one making the biggest impact is the Shlayer Trojan, which hit 10 percent the Macs monitored by Kaspersky in 2019, according to that company. (It's not a new threat though having been around since February 2018.)
OSX/Shlayer (also know as Crossrider) is a variant of adware that infects Macs via a fake Adobe Flash Player installer. The fake Flash Player, which you would have to pick up from a BitTorrent site, according to Intego, installs various apps on your Mac, including: Chumsearch Safari Extension, Advanced Mac Cleaner, MyShopCoupon+, mediaDownloader, and MyMacUpdater.
Newer, but no less damaging, threats include OSX/Newtab, which appeared in December 2018. According to Malwarebytes this is part of an "adware family that attempts to redirect searches in the web browser for the purpose of earning illicit affiliate revenue." Malwarebytes says that it is "often spread through fake flight or package tracking pages, fake maps, or fake directions pages". This threat attempted to add tabs to Safari and was digitally signed with a registered Apple Developer ID. Apple has since changed the way extensions work in Safari so it is no longer able to infiltrate Safari - but it is still a risk for Chrome users.
Other Mac threats in 2019 included:
OSX/CrescentCore: This Mac malware was available to download from several websites, and even showed up in Google Search Results. It was disguised as a DMG file of the Adobe Flash Player installer but would actually install either a file called LaunchAgent, an app called Advanced Mac Cleaner, or a Safari extension. Before installing anything the malware would check whether there was an antivirus tool installed on the Mac. The CrescentCore malware was able to bypass Apple's Gatekeeper because it was 'signed' by a known developer.
OSX/Linker: first appeared in May 2019 exploitd a zero-day vulnerability in Gatekeeper to install unsigned malware.
LoudMiner or Bird Miner: A cryptocurrency hidden in a cracked installer for Ableton Live.
NetWire and Mokes: Firefox-related malware that targeted those using cryptocurrancies. They also bypassed Gatekeeper.
There are many more threats out there and we have a complete list of all the Mac viruses, malware and security flaws that have hit the operating system here.
The best way to protect yourself from the above threats is not to allow the installation of third-party software unless it’s from the App Store or identified developers, as per the Security & Privacy settings, that you can access in System Preferences > Security & Privacy > General. With those settings applied, if you were to install something from an unknown developer Apple would warn you to check it’s authenticity. Read on to find out how Apple protects you from malware and what you can do to protect yourself further.
Apple goes to great lengths to protect you from malware by making it almost impossible for you to download it in the first place, let alone install it. The company has built anti-malware protection into macOS. For example, before you can open a file, your Mac will check it against a list of malware, and even if there is no reason for concern it will not allow you to open an application from a developer that it hasn’t already approved.
The Mac's malware scanning tool, Xprotect, works invisibly and automatically in the background and requires no user configuration. Apple has a list of malicious applications that it checks against when you open downloaded applications. Updates happen invisibly too. This is similar to having antivirus software from another software developer running on your Mac, with the bonus of being written into the operating system and therefore it doesn't hamper the speed of your Mac.
If you download and try to open files contaminated with malware, you may see an explicit warning that the files will "damage your computer", along with a reference to type of malware. You should delete the file immediately.
In addition, macOS blocks downloaded software that hasn't been digitally signed - a process in which Apple approves the developer. This leads to the familiar error message when you try to use or install unsigned software: "[this app] can't be opened because it is from an unidentified developer."
The system at work here is called Gatekeeper and can be controlled via the Security & Privacy section of System Preferences - in Security & Privacy select the General tab and choose from the options underneath Allow Applications Downloaded From. The options include App Store or App Store and Identified Developers.
There used to be an option to disable the feature by choosing 'Anywhere' but this option is no longer available. This doesn't mean you can't open apps that haven't been approved by Apple though - it just means that you will have to tweak some settings in order to do so. (Here's how to open an app from an unidentified developer).
Setting this option to App Store and Identified Developers is the best plan. All software downloaded via the App Store is signed, so you'll only see Gatekeeper warnings with a minority of apps you've downloaded manually. You can bypass its protection when needed - assuming you're sure an app or installation package is safe, just hold down Ctrl, then click it and select Open. This will mark it as being trusted.
Software that is approved by Apple is also Sandboxed, which means apps do only what they’re intended to do. App sandboxing isolates apps from the critical system components of your Mac, your data and your other apps, so they shouldn't be able to access anything that could allow them to do any damage.
There's also anti-phishing technology in Safari that will detect fraudulent websites. It will disable the page and display an alert warning you if you visit a suspect website.
You'll also notice that plug-ins such as Adobe Flash Player, Silverlight, QuickTime and Oracle Java won't run if they aren't updated to the latest version - another way of ensuring your Mac is safe.
In addition to Gatekeeper, which should keep malware off your Mac, FileVault 2 makes sure your data is safe and secure by encrypting it. Read about how to manage the settings of your Mac to make sure that it is secure here.
Security features in macOS Catalina
When Catalina launched in October 2019 Apple emphasised many of the new security and privacy features.
For one thing you will notice how Catalina forces apps to ask for permission before they can access the parts of your computer (such as where files are saved). Another change is that macOS itself is now stored on a separate disk volume (if you look in Disk Utility you'll see your usual Home volume and a separate Home - Data volume). This means that your important system files are all completely separate and therefore more challenging to access. This should mean that no apps can get to your system files where they could cause problems.
You'll also be seeing warnings if you try to use a weak password and a prompt to change it to something safer.
Changes to Gatekeeper (which is Apple's solution for catching and stopping viruses and malware) include software being checked for malware and other issues everytime it runs, rather than just the first time you install it. If the software isn't from a developer that has been approved by Apple it won't run (unless you use this workaround and even if you do then open it, Apple will still look for known malware associated with it).
Other enhancements that arrived with Catalina in 2019 included:
- Gatekeeper will check all apps for known security issues.
- All apps must get permission before accessing user documents.
- Approve with Apple Watch.
- Activation Lock feature on all Macs with the T2 chip. This means you will be able to brick your Mac remotely.
- Find My app can relay location of a lost or stolen Mac back to its owner.
- You can easily block senders in Mail just by clicking on Block Contact.
Security features in macOS Mojave
Security enhancements that arrived in macOS Mojave in 2018 include:
- Strong password suggestions will appear in Safari when you open an account on a website. This strong password will be saved in your iCloud Keychain so that you won't have to remember it. It's a lot safer than using the same password you always use.
- Safari can also automatically insert codes received via SMS into the appropriate fields on a website.
- Safari will also limit Fingerprinting - which is the way a website can recognise you based on information advertisers have about you. Fingerprinting enables advertisers to target ads at you. In Safari 12 Intelligent Tracking Protection stops cookies following you around the web.
- There are also new permissions dialogs that will appear when ever software is attempting to control your Mac or access a particular function (for example the camera or microphone). It's similar to how things work on iOS.
- If you have a Mac with a T2 chip it will handle various security features including Touch ID.
When Apple's security measures aren't enough...
All the above is great, but unfortunately there have been cases where Gatekeeper has been bypassed because malware has got an approved developer signature. For example, OSX/CrescentCore, mentioned above, was able to bypass Gatekeeper because it was signed by a certificate assigned by Apple to a developer. It took Apple a few days to retract that certificate.
It isn't only when malware get's a certificate from a registered developer. In the case of OSX/Linker, a zero-day vulnerability in Gatekeeper was being exploited.
Zero-day threats mean there are “zero days” to fix the vulnerabilities, although often a legitimate developer discovers the vulnerability and lets the developer know about it. There is usually a 90-day deadline for the fix to be made available. Some times the developer doesn't act in time and the exploit is publicised.
Apple normally reacts quickly, although there have been cases where the company has ignored the identified vulnerability, such as when a teenager reported the Group FaceTime vulnerability that meant someone could listen in to a call and Apple failed to act. There's more about how Apple reacts to security threats below.
Apple usually issues a security update to the latest version of macOS and to the two versions prior to it.
For example, in July 2019 Apple issued a Mojave update alongside security updates for Sierra and High Sierra. These updates addressed a total of 44 vulnerabilities.
Normally the advice would be to install the update immediately. However, the Sierra and High Sierra security update in July 2019 was subsequently pulled after people experiences problems after installing it.
Despite the security measures Apple has in place, from time-to-time there are threats to the Mac.
Apple has its own security research team, but it depends on users and independent researchers to help by reporting any flaws they find in Apple products.
To this end, Apple has an incentive program that rewards such discoveries with payments of up to $200,000, depending on the seriousness of the flaw. But it was the last major tech company to set up such a scheme. (Microsoft set up its own bug-reporting incentive programme in 2013, and was itself criticised at the time for leaving it so late.)
On 4 August 2016, Apple security boss Ivan Krstic announced the Apple Security Bounty Program. "We've had great help from researchers in improving iOS security all along," Krstic said. "[But] we've heard pretty consistently... that it's getting increasingly difficult to find some of those most critical types of security vulnerabilities. So the Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple."
The top reward is $200,000, given to those who discover vulnerabilities in Apple's secure boot firmware components; for less critical flaws the bounties drop through a series of smaller figures to a bottom tier of $25,000. Wired has the details.
We imagine most Mac users will be pleased to hear that Apple has an incentive programme to encourage more widespread reporting of its vulnerabilities. Incentivising security researchers to let Apple know about a flaw instead of passing it on to hackers (which may still, sadly, be more lucrative) makes Apple products safer for everyone.
One such flaw was the High Sierra root bug, discovered on 28 November 2017. This flaw in macOS 10.13 could allow access to settings on a Mac without the need for a password. Apple immediately issued a statement confirming that it was working on a fix and an update was anticipated to be issued within days (find out about the latest version of macOS here).
We have a guide to protecting your Mac from the High Sierra root bug here.
How to keep your Mac safe from malware
Apple does a lot to keep your Mac safe, but you have to work with it, installing updates when they arrive, not clicking on suspicious links in emails, not installing Flash, and so on. There are also some third party antivirus apps you could try - we have a complete guide to the best antivirus for Mac here.
Here are a few of the things you should do:
1) Keep macOS up-to-date
Despite what we said above about the security update Apple later retracted, normally the advice would be to install a security update as soon as possible.
Apple addresses flaws and vulnerabilities with the Mac by issuing updates to the Mac operating system, it is important to keep your Mac up to date. We advise checking regularly for OS updates remains a key part of a sound security strategy.
You can find out about the latest version of MacOS here: Latest version of MacOS.
You can set your Mac to automatically update as soon as a new version of the operating system is made available. Follow these instructions to set that up:
How to automatically install MacOS Catalina (and Mojave) software updates
- Open System Preferences.
- Click on Software Update.
- Tick the box beside Automatically keep my Mac up to date.
- Or, click on Advanced and choose from automatically: Check for updates, download new updates when available, Install macOS updates and Install app updates from the App Store.
How to automatically install High Sierra software update
- Open System Preferences.
- Click on App Store.
- Tick the box beside Automatically check for updates.
- You can choose to download the newly available updates, if you want them to install automatically though you need to make sure the box beside Install macOS updates is checked.
How to manually install macOS software updates
If you'd rather not let your Mac automatically update, you should periodically check to see if there is an update to your version.
- In High Sierra and earlier you can go to the Mac App Store and check for updates.
- In Mojave you need to go to the Software Update pane in System Preferences.
You may need to restart your computer once the update has downloaded. You can expect a typical 460MB download to take about 8 minutes (during which time you will still be able to work) but for a large update you will have to restart and install and that could take as much as 20 minutes, bringing the total install time to about 25 minutes in total.
For our in-depth guide to updating Mac operating systems, see How to update macOS.
2) Don't connect to public Wi-Fi networks
Beware of connecting to a public Wi-Fi network as there may be someone spying who could gain access to your passwords and other private information, or you could have your session hijacked. Snoopers can set up their own Wi-Fi hotspot, pretending to be your hotel or coffee shop, then once you have connected they can grab any data you send over it. In the past there have been flaws detected in the OS that could allow access to your Mac, such as the SSL error in an earlier version of Mac OS X that meant it was possible for a hacker to access your machine if you were using public WiFi.
3) Don't install Flash
Intego, Malwarebytes and others recommend that you don't install Flash Player. Fake Flash Player updates are often the means by which people install malware. For example, people want to watch or download a popular movie or TV series for free and they find a search result that leads to a request to update Flash Player in order to view the content. There is no need to install Flash Player now that HTML5 has made Flash obsolete. In fact Flash will no longer be supported as of 2020 so the advice is simple: It's simple: Don't use Flash!
4) Keep Java and Flash up to date on your Mac
If you must use Flash or Java (which is also problematic) then make sure it's up-to-date. Vulnerabilities with Java and Flash have highlighted the fact that there are cross-platform threats that even Mac users need to be aware of. Apple blocks Java and Flash by default, leaving it to the user to decide whether to install those tools. If you do need to update them be very careful where you download updates from!
5) Avoid falling foul of phishing emails
Protect yourself from phishing attacks not responding to emails that require you to enter a password or install anything. You could also use free software such as BlockBlock or XFence (formerly Little Flocker) installed. That way even you were to carry out the steps to launch the malware, it would not be able to write files or mark itself as launching on startup.
6) Don't fall for Facebook scams
Facebook scams are usually designed to harvest data about the most gullible people, so if it seems like it might be too good to be true it probably is and you'd be wise not to share it on Facebook. At best you might just look silly and those scammers will start to target you with more scams, at worse scammers can access your personal data and that of those you share their post with. So don't click on a link just because a friend shared it and definitely don't give out your personal data on Facebook.
Is antivirus software necessary for a Mac?
As we've explained above, it's certainly not an essential requirement to install antivirus software on your Mac. Apple does a pretty good job of keeping on top of vulnerabilities and exploits and the updates to the MacOS that will protect your Mac will be pushed out over auto-update very quickly.
However, sometimes Apple doesn't respond as quickly as Mac users might hope. In that case, there are some free antivirus apps that might give you some peace of mind.
Beware that due to the fact that people are so concerned about malware threats on the Mac there have been cases of malware actually disguising itself as an antivirus app, most recently Mac Auto Fixer pop-ups have appeared suggesting that software needs to be installed (at a high price). This is similar to another fake antivirus app called MacDefender which has been doing the rounds for some time.
Another Mac antivirus company that is often thought of as unscrupulous is MacKeeper. There are various reports that suggest it is a scam or at worst malware. However, according to reports, MacKeeper is not a scam, but unfortunately, its aggressive advertising leads many to believe that it is, and perhaps it is unfortunately named (too similar to the fake antivirus apps above). There are also complaints that it is difficult to uninstall (and we have a guide to how to uninstall MacKeeper here).
How to tell if my Mac is infected
Look out for the following signs that your Mac has been infected with malware:
- Aggressive web page banners and browser pop-ups recommending software.
- Web page text turning into hyperlinks.
- Programs appearing that you haven't authorised.
- Mac crashes.
- Mac runs hot.
- Mac speeds up for no reason.
If you think something suspicious is happening, open Activity Monitor and click on the CPU tab. Check what software is running - especially if something is hogging a lot of your resources.