Do Macs get viruses? Do Macs need antivirus software? The answer isn't as simple as it may seem. In this article, we look at the dangers faced by Mac users and the pros and cons of using Mac antivirus software.
We also explore how secure Macs are in comparison to Windows PCs. The Mac has historically been considered to be safe and secure for a number of reasons, but in recent years that has shifted considerably.
A report by Malwarebytes in March 2018 suggested that Mac malware grew by 270 percent in 2017. The same company reported that it had already seen an increase in Mac malware in 2019, with 16 million instances recorded in April - which is four times more than the previous record.
And according to network-security firm WatchGuard Technologies, Mac Malware took two spots in the run down of the ten most popular attacks in the first quarter of 2019. There is no doubt that attacks are on the rise, but that doesn't mean your Mac isn't safe.
What's changed is the popularity of the platform, both with consumers and with those who wish to target the Mac. In the past, Mac users were less vulnerable to malware because there were far more PCs and therefore PCs were a more lucrative target. Now there are new threats, such as malware designed to gain access to cryptocurrency, phishing attacks and adware, and we will examine some of these below.
Despite this Macs have remained pretty secure. This is partly thanks to the fact that the Mac operating system is Unix-based, and Unix offers a number of built-in security features.
In addition, Apple itself has included a number of security measures that make attacking a Mac particularly challenging. These include Gatekeeper, which blocks software that hasn’t been digitally approved by Apple from running on your Mac without your agreement.
However, with the increased interest in the Mac from the point of view of malware distributors, are the inbuilt protections enough, or should you install antivirus software on your Mac? Or is it too late and are you already infected by a virus on your Mac - find out how to tell if you have a virus on your Mac below.
What is the latest Mac virus?
There were actually six different threats to the Mac in June 2019, so rather than pin;point the latest threat we'll discuss them all here, although, we also have a complete list of all the Mac viruses, malware and security flaws that have hit the operating system here.
OSX/CrescentCore: This Mac malware was available to download from several websites, and even showed up in Google Search Results. It was disguised as a DMG file of the Adobe Flash Player installer but would actually install either a file called LaunchAgent, an app called Advanced Mac Cleaner, or a Safari extension. Before installing anything the malware would check whether there was an antivirus tool installed on the Mac. The CrescentCore malware was able to bypass Apple's Gatekeeper because it was 'signed' by a known developer.
OSX/Linker: first appeared in May 2019 exploitd a zero-day vulnerability in Gatekeeper to install unsigned malware.
LoudMiner or Bird Miner: A cryptocurrency hidden in a cracked installer for Ableton Live.
OSX/Newtab: Attempted to add tabs to Safari, again, it was digitally signed with a registered Apple Developer ID.
NetWire and Mokes: Firefox-related malware that targeted those using cryptocurrancies. They also bypassed Gatekeeper.
Other examples of malware have included the following:
CookieMiner malware: Could steal passwords and login credentials from Chrome, obtain browser authentication cookies for cryptocurrency exchanges, and access iTunes backups of text messages in order to gain information required to bypass two-factor authentication and gain access to a cryptocurrency wallet, steal cryptocurrency, and install software on the Mac which can mine cryptocurrency.
Mac Auto Fixer: This started popping up on Macs, suggesting users should install the software to protect their Macs. Rather than being useful software, this was just a means to get people to part with money. Read: What is Mac Auto Fixer.
mshelper: A cryptominer app targeting macOS. Infected users noticed their fans spinning particularly fast and their Macs running hotter than usual, an indication that a background process was hogging resources. You can expect such crypto currency miners to become more and more prevalent.
OSX/Shlayer or Crossrider: A variant of adware that was infecting Macs via a fake Adobe Flash Player installer. The fake Flash Player, which you would have to pick up from a BitTorrent site, according to Intego, installed various apps on your Mac, including: Chumsearch Safari Extension, Advanced Mac Cleaner, MyShopCoupon+, mediaDownloader, and MyMacUpdater.
The best way to protect yourself from the above threats is not to allow the installation of third-party software unless it’s from the App Store or identified developers, as per the Security & Privacy settings, that you can access in System Preferences > Security & Privacy > General. If you were to install something from an unknown developer Apple would warn you to check it’s authenticity. Read on to find out how Apple protects you from malware.
Intego also recommends that you don't install Flash Player. The company emphasises that there is no need to install Flash Player in 2019 now that HTML5 has made Flash obsolete
We have a complete run down of every Mac virus in this article: List of Mac viruses, malware and security flaws.
How Apple protects your Mac from malware
Apple goes to great lengths to protect you from malware by making it almost impossible for you to download it in the first place, let alone install it. The company has built anti-malware protection into macOS. For example, before you can open a file, your Mac will check it against a list of malware, and even if there is no reason for concern it will not allow you to open an application from a developer that it hasn’t already approved.
The Mac's malware scanning tool, Xprotect, works invisibly and automatically in the background and requires no user configuration. Apple has a list of malicious applications that it checks against when you open downloaded applications. Updates happen invisibly too. This is similar to having antivirus software from another software developer running on your Mac, with the bonus of being written into the operating system and therefore it doesn't hamper the speed of your Mac.
If you download and try to open files contaminated with malware, you may see an explicit warning that the files will "damage your computer", along with a reference to type of malware. You should delete the file immediately.
In addition, macOS blocks downloaded software that hasn't been digitally signed - a process in which Apple approves the developer. This leads to the familiar error message when you try to use or install unsigned software: "[this app] can't be opened because it is from an unidentified developer."
The system at work here is called Gatekeeper and can be controlled via the Security & Privacy section of System Preferences - in Security & Privacy select the General tab and choose from the options underneath Allow Applications Downloaded From. The options include App Store or App Store and Identified Developers.
There used to be an option to disable the feature by choosing 'Anywhere' but this option is no longer available. This doesn't mean you can't open apps that haven't been approved by Apple though - it just means that you will have to tweak some settings in order to do so. (Here's how to open an app from an unidentified developer).
Setting this option to App Store and Identified Developers is the best plan. All software downloaded via the App Store is signed, so you'll only see Gatekeeper warnings with a minority of apps you've downloaded manually. You can bypass its protection when needed - assuming you're sure an app or installation package is safe, just hold down Ctrl, then click it and select Open. This will mark it as being trusted.
Software that is approved by Apple is also Sandboxed, which means apps do only what they’re intended to do. App sandboxing isolates apps from the critical system components of your Mac, your data and your other apps, so they shouldn't be able to access anything that could allow them to do any damage.
There's also anti-phishing technology in Safari that will detect fraudulent websites. It will disable the page and display an alert warning you if you visit a suspect website.
You'll also notice that plug-ins such as Adobe Flash Player, Silverlight, QuickTime and Oracle Java won't run if they aren't updated to the latest version - another way of ensuring your Mac is safe.
In addition to Gatekeeper, which should keep malware off your Mac, FileVault 2 makes sure your data is safe and secure by encrypting it. Read about how to manage the settings of your Mac to make sure that it is secure here.
Security features in macOS Mojave
Security enhancements that arrived in macOS Mojave include:
- Strong password suggestions will appear in Safari when you open an account on a website. This strong password will be saved in your iCloud Keychain so that you won't have to remember it. It's a lot safer than using the same password you always use.
- Safari can also automatically insert codes received via SMS into the appropriate fields on a website.
- Safari will also limit Fingerprinting - which is the way a website can recognise you based on information advertisers have about you. Fingerprinting enables advertisers to target ads at you. In Safari 12 Intelligent Tracking Protection stops cookies following you around the web.
- There are also new permissions dialogs that will appear when ever software is attempting to control your Mac or access a particular function (for example the camera or microphone). It's similar to how things work on iOS.
- If you have a Mac with a T2 chip it will handle various security features including Touch ID.
New security features coming in macOS Catalina
Enhancements that will arrive with Catalina this autumn include:
- Gatekeeper will check all apps for known security issues.
- All apps must get permission before accessing user documents.
- Approve with Apple Watch.
- Activation Lock feature on all Macs with the T2 chip.
- Find My app can relay location of a lost or stolen Mac back to its owner.
When Apple's security measures aren't enough...
All the above is great, but unfortunately there have been cases where Gatekeeper has been bypassed because malware has got an approved developer signature. For example, OSX/CrescentCore, mentioned above, was able to bypass Gatekeeper because it was signed by a certificate assigned by Apple to a developer. It took Apple a few days to retract that certificate.
It isn't only when malware get's a certificate from a registered developer. In the case of OSX/Linker, a zero-day vulnerability in Gatekeeper was being exploited.
Zero-day threats mean there are “zero days” to fix the vulnerabilities, although often a legitimate developer discovers the vulnerability and lets the developer know about it. There is usually a 90-day deadline for the fix to be made available. Some times the developer doesn't act in time and the exploit is publicised.
Apple normally reacts quickly, although there have been cases where the company has ignored the identified vulnerability, such as when a teenager reported the Group FaceTime vulnerability that meant someone could listen in to a call and Apple failed to act. There's more about how Apple reacts to security threats below.
Apple usually issues a security update to the latest version of macOS and to the two versions prior to it.
For example, in July 2019 Apple issued a Mojave update alongside security updates for Sierra and High Sierra. These updates addressed a total of 44 vulnerabilities.
Normally the advice would be to install the update immediately. However, the Sierra and High Sierra security update in July 2019 was subsequently pulled after people experiences problems after installing it.
Despite the security measures Apple has in place, from time-to-time there are threats to the Mac.
Apple has its own security research team, but it depends on users and independent researchers to help by reporting any flaws they find in Apple products.
To this end, Apple has an incentive program that rewards such discoveries with payments of up to $200,000, depending on the seriousness of the flaw. But it was the last major tech company to set up such a scheme. (Microsoft set up its own bug-reporting incentive programme in 2013, and was itself criticised at the time for leaving it so late.)
On 4 August 2016, Apple security boss Ivan Krstic announced the Apple Security Bounty Program. "We've had great help from researchers in improving iOS security all along," Krstic said. "[But] we've heard pretty consistently... that it's getting increasingly difficult to find some of those most critical types of security vulnerabilities. So the Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple."
The top reward is $200,000, given to those who discover vulnerabilities in Apple's secure boot firmware components; for less critical flaws the bounties drop through a series of smaller figures to a bottom tier of $25,000. Wired has the details.
We imagine most Mac users will be pleased to hear that Apple has an incentive programme to encourage more widespread reporting of its vulnerabilities. Incentivising security researchers to let Apple know about a flaw instead of passing it on to hackers (which may still, sadly, be more lucrative) makes Apple products safer for everyone.
One such flaw was the High Sierra root bug, discovered on 28 November 2017. This flaw in macOS 10.13 could allow access to settings on a Mac without the need for a password. Apple immediately issued a statement confirming that it was working on a fix and an update was anticipated to be issued within days (find out about the latest version of macOS here).
We have a guide to protecting your Mac from the High Sierra root bug here.
What you should do to keep your Mac safe
Apple does a lot to keep your Mac safe, but you have to work with it, installing updates when they arrive, not clicking on suspicious links in emails, not installing Flash, and so on. There are also some third party antivirus apps you could try - we have a complete guide to the best antivirus for Mac here.
Here are a few of the things you should do:
Keep macOS up-to-date
Despite what we said above about the security update Apple later retracted, normally the advice would be to install a security update as soon as possible.
Apple addresses flaws and vulnerabilities with the Mac by issuing updates to the Mac operating system, it is important to keep your Mac up to date. We advise checking regularly for OS updates remains a key part of a sound security strategy.
You can find out about the latest version of MacOS here: Latest version of MacOS.
You can set your Mac to automatically update as soon as a new version of the operating system is made available. Follow these instructions to set that up:
How to automatically install MacOS Mojave (and Catalina) software update
- Open System Preferences.
- Click on Software Update.
- Tick the box beside Automatically keep my Mac up to date.
- Or, click on Advanced and choose from automatically: Check for updates, download new updates when available, Install macOS updates and Install app updates from the App Store.
How to automatically install High Sierra software update
- Open System Preferences.
- Click on App Store.
- Tick the box beside Automatically check for updates.
- You can choose to download the newly available updates, if you want them to install automatically though you need to make sure the box beside Install macOS updates is checked.
How to manually install macOS software updates
If you'd rather not let your Mac automatically update, you should periodically check to see if there is an update to your version.
- In High Sierra and earlier you can go to the Mac App Store and check for updates.
- In Mojave you need to go to the Software Update pane in System Preferences.
You may need to restart your computer once the update has downloaded. You can expect a typical 460MB download to take about 8 minutes (during which time you will still be able to work) but for a large update you will have to restart and install and that could take as much as 20 minutes, bringing the total install time to about 25 minutes in total.
For our in-depth guide to updating Mac operating systems, see How to update macOS.
Protect your Mac from malware
Along with keeping your Mac operating software up to date we advise that you do the following:
Don't connect to public Wi-Fi networks - Beware of connecting to a public Wi-Fi network as there may be someone spying who could gain access to your passwords and other private information, or you could have your session hijacked. Snoopers can set up their own Wi-Fi hotspot, pretending to be your hotel or coffee shop, then once you have connected they can grab any data you send over it. In the past there have been flaws detected in the OS that could allow access to your Mac, such as the SSL error in an earlier version of Mac OS X that meant it was possible for a hacker to access your machine if you were using public WiFi.
Keep Java and Flash up to date on your Mac - Vulnerabilities with Java and Flash have highlighted the fact that there are cross-platform threats that even Mac users need to be aware of. Apple blocks Java and Flash by default, leaving it to the user to decide whether to install those tools. From time to time you will discover that Flash video and adverts disappear from your browser, and that Java-based tools stop working, if that happens you will need to install the latest version of those apps. And speaking of Flash and Java: be careful where you download updates from!
Avoid falling foul of phishing emails - Protect yourself from phishing attacks not responding to emails that require you to enter a password or install anything. You could also use free software such as BlockBlock or XFence (formerly Little Flocker) installed. That way even you were to carry out the steps to launch the malware, it would not be able to write files or mark itself as launching on startup.
Don't fall for Facebook scams - Facebook scams are usually designed to harvest data about the most gullible people, so if it seems like it might be too good to be true it probably is and you'd be wise not to share it on Facebook. At best you might just look silly and those scammers will start to target you with more scams, at worse scammers can access your personal data and that of those you share their post with. So don't click on a link just because a friend shared it and definitely don't give out your personal data on Facebook.
Is antivirus software necessary for a Mac?
As we've explained above, it's certainly not an essential requirement to install antivirus software on your Mac. Apple does a pretty good job of keeping on top of vulnerabilities and exploits and the updates to the MacOS that will protect your Mac will be pushed out over auto-update very quickly.
However, sometimes Apple doesn't respond as quickly as Mac users might hope. In that case, there are some free antivirus apps that might give you some peace of mind.
Beware that due to the fact that people are so concerned about malware threats on the Mac there have been cases of malware actually disguising itself as an antivirus app, most recently Mac Auto Fixer pop-ups have appeared suggesting that software needs to be installed (at a high price). This is similar to another fake antivirus app called MacDefender which has been doing the rounds for some time.
Another Mac antivirus company that is often thought of as unscrupulous is MacKeeper. There are various reports that suggest it is a scam or at worst malware. However, according to reports, MacKeeper is not a scam, but unfortunately, its aggressive advertising leads many to believe that it is, and perhaps it is unfortunately named (too similar to the fake antivirus apps above). There are also complaints that it is difficult to uninstall (and we have a guide to how to uninstall MacKeeper here).
How to tell if my Mac is infected
Look out for the following signs that your Mac has been infected with malware:
- Aggressive web page banners and browser pop-ups recommending software.
- Web page text turning into hyperlinks.
- Programs appearing that you haven't authorised.
- Mac crashes.
- Mac runs hot.
- Mac speeds up for no reason.
If you think something suspicious is happening, open Activity Monitor and click on the CPU tab. Check what software is running - especially if something is hogging a lot of your resources.