Despite Apple's best efforts, Mac malware does exist, we describe some cases below. However, before you panic, Mac malware and viruses are very rarely found "in the wild".
From time to time you will hear of big profile trojans, malware, and ransomware that is targetting the Windows world, very rarely is this a threat to Macs. For example, the WannaCry/WannaCrypt ransomware that bought the NHS to its knees in May 2017 was only targetting Windows machines and therefore no threat to Macs.
Luckily Apple has various measures in place to guard against such threats. For example, macOS shouldn't allow the installation of third-party software unless it's from the App Store or identified developers, as per the Security & Privacy settings, that you can access in System Preferences > Security & Privacy > General. If you were to install something from an unknown developer Apple would warn you to check it's authenticity.
In addition Apple has its own built-in anti-malware tool. Apple has all the malware definitions in its XProtect file which sits on your Mac, and everytime you download a new application it checks that none of those definitions are present. This is part of Apple's Gatekeeper software that blocks apps created by malware developers and verifies that apps haven't been tampered with. For more information read: how Apple protects you from malware.
In 2020 malware on the Mac actually decreased, however, as you will see if you read on, Macs are not completely safe from attacks. To stay safe, we recommend you read our best Mac security tips and our round up of the best Mac antivirus apps, in which we highlight Intego as our top pick.
Another thing to note is that the M1 Chip that Apple started using in Macs in November 2020 is considered more secure than Intel processors. However, malware has already been found on the M1 Mac, dubbed Silver Sparrow we have more information below.
But if you are simply curious to know what Mac viruses are out there, or have been seen "in the wild" in this article we will endeavour to give you a complete list.
We'll start off with a list of what Malwarebytes says were the top Mac malware threats in 2020. Apparently these accounted for 99% of Mac malware detections.
- OSX.Generic.Suspicious 80.65%
- OSX.FakeFileOpener 13.19%
- OSX.ThiefQuest 1.96%
- OSX.BirdMiner 1.37%
- OSX.SearchAwesome 1.05%
- OSX.FakeAV 0.74%
- OSX.Honkbox 0.22%
- OSX.Dummy 0.15%
- OSX.Adwind 0.1%
- OSX.KeRanger 0.1%
We'll run through the above detections in the article below, but we'll start off with the most recent Mac Malware.
A Trojan hidden in Xcode projects in GitHub had the potential to spread among the Macs of iOS developers.
Once installed a malicious script runs that installs an "EggShell backdoor". Once open the Mac's microphone, camera and keyboard can be hyjacked and files can be send to the attacker.
The malware has been found in a ripped version of TabBarInteraction.
Read more here: New Mac malware targets iOS developers
At the time of writing it's unknown to what extent Silver Sparrow poses a threat. But worryingly, according to Malwarebytes, Silver Sparrow has already infected 29,139 macOS systems in 153 countries, most of the infected Macs are in the US, UK, Canada, France and Germany. It is unclear how many of these are M1 Macs. More details here: What you need to know about Silver Sparrow Mac malware.
There is already adware targetting the M1 Mac. Based on Pirri and known as GoSearch22 it has been specially compiled for Apple's ARM platform. Infected Macs will see unwanted adverts. More information here: M1 Macs face first recorded malware.
These accounted for more than 80% of cases, but rather than being one rampant case of malware, this is Malwarebytes name for any detection that was deemed to be suspicious behaviour. This could be an attempt to run concealed Python or a shell code, for example.
Malwarebytes uses the name FakeFileOpener to describe apps that advertise PUPs (Potentially Unwanted Programs). These tend to be system optimizers. You might see a pop up suggesting that you don't have software to open an app, for example, offering to help you locate such an app on the web. Or you might see a warning that you have been infected with a number of viruses inviting you to use an app such as Advanced Mac Cleaner, Mac Adware Remover or Mac Space Reviver.
ThiefQuest (aka EvilQuest)
ThiefQuest, which we discuss here: Mac ransomware ThiefQuest / EvilQuest could encrypt your Mac (Updated), was Ransomware spreading on the Mac via pirated software found on a Russian torrent forum. It started appearing in June 2020. It was initially thought to be the Mac ransomware - the first such case since 2017, except that it didn't act like ransomware: it encrypted files but there was no way to prove you had paid a ransom and no way to subsequently unencrypted files. It turned out that rather than the purpose of ThiefQuest being to extort a ransom, it was actually trying to obtain the data. Known as 'Wiper' malware this was the first of its kind on the Mac.
This was a cryptocurrency miner that was distributed via a cracked installer for Ableton Live. The cryptocurrency mining software would attempt to use your Mac's processing power to make money. It started to appear in 2019.
OSX.SearchAwesome is a kind of adware that targets macOS systems. This malware was detected in 2018 and can intercept encrypted web traffic to inject ads.
This is a generic name for any type of malicious software pretends to offer antivirus for macOS.
GravityRAT is an infamous Trojan on Windows, which, among other things, has been used in attacks on the military. According to Kaspersky it is also on the Mac too.
The GravityRAT Trojan can upload Office files, take automatic screenshots and record keyboard logs.
GravityRAT uses stolen developer certificates to bypass Gatekeeper and trick users into installing legitimate software. The Trojan is hidden in copies of various legitimate programs developed with .net, Python and Electron. We have more information about GravityRAT on the Mac here.
As of August 2020 this Mac malware is spread through Xcode projects posted on Github. The malware - a family of worms known as XCSSET - exploit vulnerabilities in Webkit and Data Vault.
They seek to access information via the Safari browser, including login details for Apple, Google, Paypal and Yandex services.
Other types of information collected includes notes and messages sent via Skype, Telegram, QQ and Wechat. More information here.
In February 2018 Mac users were being warned of a variant of adware that is infecting Macs via a fake Adobe Flash Player installer. Intego identifed it as a new variant of the OSX/Shlayer Malware, while it may also be refered to as Crossrider.
In the course of installation, a fake Flash Player installer dumps a copy of Advanced Mac Cleaner which tells you in Siri's voice that it has found problems with your system.
Even after removing Advanced Mac Cleaner and removing the various components of Crossrider, Safari's homepage setting is still locked to a Crossrider-related domain, and cannot be changed.
Malwarebytes warns: “If you see a message in your web browser telling you that Adobe Flash Player needs to be updated, it's almost certainly a scam.” If you do need to install or update Flash visit Adobe's website. Since 31 December 2020 Flash Player has been discontinued by Adobe and it no longer supported, so you can be sure that if you see anything telling you to install Flash Player please ignore it! You don't need it because nobody is using Flash anymore.
It's likely that you will come across the fake installer on BitTorrent sites, notes Intego.
Intego VirusBarrier detects the various apps that would be installed by the fake Flash installer. These include a Chumsearch Safari Extension, Advanced Mac Cleaner, MyShopCoupon+, mediaDownloader, and MyMacUpdater.
Unfortunately Shlayer does seem to keep reemerging. The most recent emergence wass a little worrying as it was appearing in Google search results.
Intego discovered this new Trojan had been specifically designed to circumvent MacOS Catalina's security measures because it launches an installation guide that guides the user through the steps necessary to install it.
Intego reckons that one in ten Mac computers is infected with the so-called Shlayer virus!
You can read more about this incident here.
This Mac malware was found on several websites, including a comic-book-download site in June 2019. It even showed up in Google search results. CrescentCore was disguised as a DMG file of the Adobe Flash Player installer. Before running it would check to see if it inside a virtual machine and would looks for antivirus tools. If the machine was unprotected it would install either a file called LaunchAgent, an app called Advanced Mac Cleaner, or a Safari extension.
CrescentCore was able to bypass Apple's Gatekeeper because it had a signed developer certificate assigned by Apple. That signature was eventually revoked by Apple. But it shows that although Gatekeeper should stop malware getting through, it can be done.
Again, we note that Adobe ended support for Adobe Flash on 31 December 2020, so this should mean fewer cases of malware being disguised as the Flash Player.
OSX/Linker came to light in May 2019. It exploited a zero-day vulnerability in Gatekeeper to install malware. The "MacOS X GateKeeper Bypass" vulnerability had been reported to Apple back in February, and was disclosed by the person who discovered it on 24 May 2019 because Apple had failed to fix the vulnerability within 90 days.
OSX/Linker tried to exploit this vulnerability, but it was never really "in the wild".
This malware attempted to add tabs to Safari. It was also digitally signed with a registered Apple Developer ID.
NetWire and Mokes
These were described by Intego as "backdoor malware" with capabilites such as keystoke logging and screenshot taking. They were a pair of Firefox zero-days that targeted those using cryptocurrancies. They also bypassed Gatekeeper. backdoor" malware
The CookieMiner malware that could steal cybercurrency was discovered at the end of January 2019. It was able to steal a users password and login information for their cyberwallets from Chrome, obtain browser authentication cookies associated with cryptocurrency exchanges, and even access iTunes backups containing text messages in order to piece together the information required to bypass two-factor authentication and gain access to the victim's cryptocurrency wallet and steal their cryptocurrency.
Unit 42, the security researchers who identified it, suggest that Mac users should clear their browser caches after logging in to financial accounts. Since it's connected to Chrome we also recommend that Mac users choose a different browser.
Find out more about CookieMiner Mac malware here.
Mac Auto Fixer
Back in August 2018 Mac Auto Fixer caused some concern among Mac users as it started popping up on Macs. It isn't exactly malware, rather it's what we call a Potentially Unwanted Program, which piggybacks on to your system via bundles of other software.
Find out more about it, and how to get rid of it, in What is Mac Auto Fixer?
In May 2018 cryptominer app mshelper was targeting macOS. Infected users noticed their fans spinning particularly fast and their Macs running hotter than usual, an indication that a background process was hogging resources. You can expect such crypto currency miners to become more and more prevalent.
In this case the malware routes all the traffic through malicious servers (those addresses), and that's when it can intercept sensitive information.
The program installs a new root certificate to intercept encrypted communications, according to Former NSA hacker Patrick Wardle. Wardle says: "Attackers can perform a variety of nefarious actions such as man-in-the-middleing traffic."
It can also take screenshots, generate mouse events, execute commands, and download and upload files, according to BGR.
Security analysis firm CheckPoint Software Technologies spotted a new OS X malware at the end of April 2017. Apple rushed to block it.
The macOS Trojan horse appeared to be able to bypass Apple's protections and could hijack all traffic entering and leaving a Mac without a user's knowledge - even traffic on SSL-TLS encrypted connections.
OSX/Dok was even signed with a valid developer certificate (authenticated by Apple) according to CheckPoint's blog post. It is likely that the hackers accessed a legitimate developers' account and used that certificate. Because the malware had a certificate, macOS's Gatekeeper would have recognized the app as legitimate, and therefore not prevented its execution. Apple has since revoked that developer certificate and updated XProtect, it's malware signature system.
The attacker could gain access to all victim communication by redirecting traffic through a malicious proxy server, there's more information about how the attack worked here.
OSX/Dok was targeting OS X users via an email phishing campaign. The best way to avoid falling foul to such an attempt in the future is not to respond to emails that require you to enter a password or install anything.
Back in February 2017 X-agent malware was discovered that was capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on your Mac.
The malware apparently targeted members of the Ukrainian military and was thought to be the work of the APT28 cybercrime group, according to Bitdefender.
In February 2017 researchers found the MacDownloader software lurking in a fake update to Adobe Flash (which as we said above has now been discontinued). When the installer is run you'll get an alert claiming that there is adware on your Mac.
You'll be asked to click to "remove" the adware, and when you enter your password on your Mac the MacDownloader malware will attempt to transmit data including your Keychain (so that's your usernames, passwords, PINs, credit card numbers) to a remote server.
Luckily the threat seems to be contained for now: the remote server it the malware tries to connect is now offline.
The best way to avoid such attacks is to always check on Adobe's site to see if there is an update to Flash you should be installing.
The MacDownloader malware is thought to have been created by Iranian hackers and was specifically targetted at the US defence industry. It was located on a fake site designed to target the US defence industry (so likely not yourself). In this case the phishing attempt would have been activated via a Flash file, and since Apple has stopped Flash opening by default, again this is unlikely to have affected you.
According to a report in January 2017, Fruitfly malware had been conducting surveillance on targeted networks for possibly two years.
The malware captures screenshots and webcam images, as well as looking for information about the devices connected to the same network - and then connects to them.
Malwarebytes claims the malware could have been circulating since OS X Yosemite was released in 2014.
Back in April 2016 OSX/Pirrit was apparently hidden in cracked versions of Microsoft Office or Adobe Photoshop found online. It would gain root privileges and create a new account in order to install more software, according to Cybereason researcher Amit Serper in this report.
KeRanger is still appearing on Macs despite the fact that it is extinct - Malwarebytes notes that the malware is no longer capable of encrypting files. Malwarebytes theorises that the only reason it's still popping up is that a handful of people are testing to see if it it still detected.
KeRanger is ransomware. Ransomware is, in general, a sub-category of malware that involves dodgy software sneaking itself on to your computer and then encrypting files against your wishes. You'll then be left with two apparent options: never be able to access those files again, or pay the 'ransom' to decrypt them. (We discuss how to remove Ransomware here.)
For a long time ransomware was a problem that Mac owners didn't have to worry about, but March 2016 saw the appearance of the first ever piece of Mac ransomware - KeRanger - distributed along with a version of a piece of legitimate software: the Transmission torrent client.
Transmission has since updated to remove this malware, and Apple revoked the GateKeeper signature and updated its XProtect system, but not before a number of unlucky users got stung.
Palo Alto Network's Claud Xiao and Jin Chen explain how KeRanger works: "The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple's Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to be still under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their backup data.
"Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems."
In November 2016 security company Malwarebytes started documenting Mac-targeted denial-of-service attacks originating from a fake tech support website.
Like many Mac-targeted attacks, it depends on 'social engineering' or user error: you click a link in an email, and the malware is smuggled on to your Mac. This then triggers the attack.
There are two versions of the attack; the one you get depends on your version of macOS. Either Mail is hijacked and forced to create vast numbers of draft emails, or iTunes is forced to open multiple times. Either way, the end goal is to overload system memory and force a shutdown or system freeze.
(In fact, the real end goal is to get you to call a bogus Apple support number, whereupon you will presumably get charged to hear a fake solution by the people who caused the problem in the first place.)
You can avoid this issue, fortunately, by updating macOS: Malwarebytes suspects that Sierra 10.12.2 includes a patch for this, since up-to-date machines were not affected by the problem in testing.
SSL , Gotofail error
This caused issues for Mac users back in 2014. The problem was with Apple's implementation of a basic encryption feature that shields data from snooping. Most websites handling sensitive personal data use SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which establishes an encrypted connection between a server and a person's computer so that snoopers cannot read the traffic and extract information like credit card numbers or log-in credentials. If an attacker intercepts the data, it is unreadable.
However, Apple's validation of SSL encryption had a coding error that bypassed a key validation step in the web protocol for secure communications. There was an extra Goto command that hadn't been closed properly in the code that validated SSL certificates, and as a result, communications sent over unsecured Wi-Fi hotspots could be intercepted and read while unencrypted. This could potentially expose user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Criminals could also supply fake data that makes it appear an authentic web service has been cryptographically verified.
These kinds of attacks are known as a man-in-the-middle attack and it is a form of eavesdropping in which a hacker makes an independent connection between a client and its destination server. The hacker is then able to relay messages between them, making the client and server believe they are talking to each other over a private connection.
In order for this type of attack to be possible, the attacker would have to be on the same public network.
Apple quickly issued an update to iOS 7 and iOS 6, but took longer to issued an update for Mac OS X, despite Apple confirming that the same SSL/TSL security flaw was also present in OS X. Read more about the iPad and iPhone security flaw here.
Apple said it had a fix ready for OS X and would release it "very soon". The fix came late the following night.
Not every Mac vulnerabilty is exposed, but it is these vulnerabilities that criminals use to hack Macs. Here we'll run through some particularly concerning cases:
Meltdown & Spectre
In January 2018 Apple confirmed that Macs, iPhones and iPads were affected by flaws in Intel chips.
Apple was one of a number of tech companies affected. The company highlighted that: "These issues apply to all modern processors and affect nearly all computing devices and operating systems."
The Meltdown and Spectre bugs could allow hackers to steal data. Meltdown would involve a "rogue data cache load" and can enable a user process to read kernel memory, according to Apple's brief on the subject.
Apple issued patches to mitigate the Meltdown flaw, despite saying that there is no evidence that either vulnerability had been exploited.
Apple advises that the best way to protect yourself from these vulnerabilities is to only download and install apps from trusted sources. The company states: “Exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”
Zoom is a video conferencing app and in June it was revealed that it was possible for users to be added to video calls without permission and the Mac webcam activated.
This was also a "Zero-day" threat, where the vulnerability had been discovered in advance, and the developer who made the software notified, but after failing to act within the alloted 90-days, the vulnerability was publicised.
According to Zoom the vulnerability was theoretical. However, it could have lead to those people who used the Zoom platform for video conferencing (which includes a fair few companies as you'll see from the post below) having their web cam accessed.
Following the public disclosure of the vulnerability both Zoom and Apple addressed the vulnerability. Read about How to stop people from accessing your MacBook webcam here.
Word macro viruses
PC users have had to contend with macro viruses for a long time. Applications, such as Microsoft Office, Excel, and Powerpoint allow macro programs to be embedded in documents. When these documents are opened the macros are run automatically which can cause problems.
Mac versions of these programs haven't had an issue with malware concealed in macros because since when Apple released Office for Mac 2008 it removed macro support. However, the 2011 version of Office reintroduced macros, and in February 2017 there was malware discovered in a Word macro within a Word doc about Trump.
If the file is opened with macros enabled (which doesn't happen by default), it will attempt to run python code that could have theoretically perform functions such as keyloggers and taking screenshots. It could even access a webcam. The chance of you being infected in this way is very small, unless you have received and opened the file referred to (which would surprise us), but the point is that Mac users have been targeted in this way.
Mac users should still be fairly safe from macros thanks to a warning that appears on the screen should a user attempt to open a document containing macros.
For more information about how Apple protects your Mac from security vulnerabilities and malware read: Do Macs need antivirus software.