Despite Apple's best efforts, Mac malware does exist, we describe some cases below. However, before you panic, Mac malware and viruses are very rarely found "in the wild".
From time to time you will hear of big profile trojans, malware, and ransomware that is targetting the Windows world, very rarely is this a threat to Macs. For example, the WannaCry/WannaCrypt ransomware that bought the NHS to its knees in May 2017 was only targetting Windows machines and therefore no threat to Macs.
Luckily Apple has various measures in place to guard against such threats, as we explain in this article about how Apple protects you from malware. However, as you will see if you read on, Macs are not completely safe from attacks.
You might also want to read about issues with Thunderbolt which are discussed in this article: How to protect your Mac from the Thunderbolt security flaw
But if you are simply curious to know what Mac viruses are out there, or have been seen "in the wild" here's a complete list:
GravityRAT is an infamous Trojan on Windows, which, among other things, has been used in attacks on the military. According to Kaspersky it is now on the Mac too.
The GravityRAT Trojan can upload Office files, take automatic screenshots and record keyboard logs.
GravityRAT uses stolen developer certificates to bypass Gatekeeper and trick users into installing legitimate software. The Trojan is hidden in copies of various legitimate programs developed with .net, Python and Electron. We have more information about GravityRAT on the Mac here.
As of August 2020 this Mac malware is spread through Xcode projects posted on Github. The malware - a family of worms known as XCSSET - exploit vulnerabilities in Webkit and Data Vault.
They seek to access information via the Safari browser, including login details for Apple, Google, Paypal and Yandex services.
Other types of information collected includes notes and messages sent via Skype, Telegram, QQ and Wechat. More information here.
New varient of OSX/Shlayer
We discuss Shlayer further down this article - it does seem to keep reemerging. The latest emergence is a little worrying as it is appearing in Google search results.
Intego discovered this new Trojan had been specifically designed to circumvent MacOS Catalina's security measures because it launches an installation guide that guides the user through the steps necessary to install it.
Intego reckons that one in ten Mac computers is infected with the so-called Shlayer virus!
You can read more about this incident here.
This Mac malware was found on several websites, including a comic-book-download site in June 2019. It even showed up in Google search results. CrescentCore was disguised as a DMG file of the Adobe Flash Player installer. Before running it would check to see if it inside a virtual machine and would looks for antivirus tools. If the machine was unprotected it would install either a file called LaunchAgent, an app called Advanced Mac Cleaner, or a Safari extension.
CrescentCore was able to bypass Apple’s Gatekeeper because it had a signed developer certificate assigned by Apple. That signature was eventually revoked by Apple. But it shows that although Gatekeeper should stop malware getting through, it can be done.
OSX/Linker came to light in May 2019. It exploited a zero-day vulnerability in Gatekeeper to install malware. The "MacOS X GateKeeper Bypass" vulnerability had been reported to Apple back in February, and was disclosed by the person who discovered it on 24 May since Apple had failed to fix the vulnerability within 90 days.
OSX/Linker tried to exploit this vulnerability, but it was never really "in the wild".
LoudMiner (aka Bird Mine)
This was a cryptocurrency miner that was distributed via a cracked installer for Ableton Live. The cryptocurrency mining software would attempt to use your Mac's processing power to make money.
This malware attempts to add tabs to Safari. It was also digitally signed with a registered Apple Developer ID.
NetWire and Mokes
These were described by Intego as "backdoor malware" with capabilites such as keystoke logging and screenshot taking. They were a pair of Firefox zero-days that targeted those using cryptocurrancies. They also bypassed Gatekeeper. backdoor" malware
Zoom is a video conferencing app and in June it was revealed that it was possible for users to be added to video calls without permission and the Mac webcam activated.
This was also a "Zero-day" threat, where the vulnerability had been discovered in advance, and the developer who made the software notified, but after failing to act within the alloted 90-days, the vulnerability was publicised.
According to Zoom the vulnerability was theoretical. However, it could have lead to those people who used the Zoom platform for video conferencing (which includes a fair few companies as you'll see from the post below) having their web cam accessed.
Following the public disclosure of the vulnerability both Zoom and Apple addressed the vulnerability. Read about How to stop people from accessing your MacBook webcam here.
The CookieMiner malware that could steal cybercurrency was discovered at the end of January 2019. It was able to steal a users password and login information for their cyberwallets from Chrome, obtain browser authentication cookies associated with cryptocurrency exchanges, and even access iTunes backups containing text messages in order to piece together the information required to bypass two-factor authentication and gain access to the victim’s cryptocurrency wallet and steal their cryptocurrency.
Unit 42, the security researchers who identified it, suggest that Mac users should clear their browser caches after logging in to financial accounts. Since it's connected to Chrome we also recommend that Mac users choose a different browser.
Find out more about CookieMiner Mac malware here.
Mac Auto Fixer
Back in August 2018 Mac Auto Fixer caused some concern among Mac users as it started popping up on Macs. It isn't exactly malware, rather it's what we call a Potentially Unwanted Program, which piggybacks on to your system via bundles of other software.
Find out more about it, and how to get rid of it, in What is Mac Auto Fixer?
In May 2018 cryptominer app mshelper was targeting macOS. Infected users noticed their fans spinning particularly fast and their Macs running hotter than usual, an indication that a background process was hogging resources. You can expect such crypto currency miners to become more and more prevalent.
In February 2018 Mac users were being warned of a variant of adware that is infecting Macs via a fake Adobe Flash Player installer. Intego is identifying this as a new variant of the OSX/Shlayer Malware, while Malwarebytes refers to it as Crossrider.
In the course of installation, the fake Flash Player installer dumps a copy of Advanced Mac Cleaner which tells you in Siri’s voice that it has found problems with your system.
Even after removing Advanced Mac Cleaner and removing the various components of Crossrider, Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed, explains Malwarebytes.
Apparently this is caused by a configuration profile installed on the system by the adware.
Malwarebytes explains how to remove the profile here, you’ll need to use Terminal to do so.
Malwarebytes warns: “If you see a message in your web browser telling you that Adobe Flash Player needs to be updated, it’s almost certainly a scam.” If you do need to install or update Flash visit Adobe’s website.
It’s likely that you will come across the fake installer on BitTorrent sites, notes Intego.
Intego VirusBarrier detects the various apps that would be installed by the fake Flash installer. These include a Chumsearch Safari Extension, Advanced Mac Cleaner, MyShopCoupon+, mediaDownloader, and MyMacUpdater.
Intego explains how to tell if your Mac is infected here. The company also outlines how to protect yourself.
MacOS shouldn’t allow the installation of third-party software unless it’s from the App Store or identified developers, as per the Security & Privacy settings, that you can access in System Preferences > Security & Privacy > General.
If you were to install something from an unknown developer Apple would warn you to check it’s authenticity.
What OSX/MaMi does
In this case the malware routes all the traffic through malicious servers (those addresses), and that’s when it can intercept sensitive information.
The program installs a new root certificate to intercept encrypted communications, according to Former NSA hacker Patrick Wardle.
Wardle says: “Attackers can perform a variety of nefarious actions such as man-in-the-middleing traffic.”
It can also take screenshots, generate mouse events, execute commands, and download and upload files, according to BGR.
How to find out if you are affected by OSX/MaMi
- Check DNS settings on your Mac
- If you see addresses including 220.127.116.11 and 18.104.22.168, your Mac may be infected
How to protect yourself from OSX/MaMi
Apparently anti-virus programs can't detect OSX/MaMi right now. But a firewall could potentially block the traffic.
Meltdown & Spectre
In January 2018 Apple confirmed that Macs, iPhones and iPads were affected by flaws in Intel chips.
Apple was one of a number of tech companies affected. The company highlighted that: "These issues apply to all modern processors and affect nearly all computing devices and operating systems."
What Meltdown & Spectre do
The Meltdown and Spectre bugs could allow hackers to steal data.
Meltdown would involve a "rogue data cache load" and can enable a user process to read kernel memory, according to Apple’s brief on the subject.
How to protect yourself from Meltdown & Spectre
Apple had already issued patches to mitigate the Meltdown flaw, despite saying that there is no evidence that either vulnerability had been exploited yet.
Apple advises that the best way to protect yourself from these vulnerabilities is to only download and install apps from trusted sources. The company states: “Exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”
To protect yourself from ‘Meltdown’ make sure you install iOS 11.2 on your iPad or iPhone, macOS 10.13.2 on your Mac, and tvOS 11.2 on your Apple TV. The Apple Watch is secure from the potential exploits.
To protect against ‘Spectre’ Apple has issued a Supplemental Update. The iOS 11.2.2 and macOS 10.13.2 Supplemental Update includes a Spectre fix for Safari and WebKit.
Installing macOS 10.13.2 Supplemental Update will update Safari to version 11.0.2 (13604.4.7.1.6) or version 11.0.2 (13604.4.7.10.6). If the update isn't installed on your Mac automatically, visit the App Store and click on Updates.
Security analysis firm CheckPoint Software Technologies spotted a new OS X malware at the end of April 2017.
Apple rushed to block it.
The macOS Trojan horse appeared to be able to bypass Apple’s protections and could hijack all traffic entering and leaving a Mac without a user’s knowledge - even traffic on SSL-TLS encrypted connections.
OSX/Dok was even signed with a valid developer certificate (authenticated by Apple) according to CheckPoint’s blog post. It is likely that the hackers accessed a legitimate developers’ account and used that certificate. Because the malware had a certificate, macOS’s Gatekeeper would have recognized the app as legitimate, and therefore not prevented its execution. Apple has since revoked that developer certificate and updated XProtect, it’s malware signature system.
The attacker could gain access to all victim communication by redirecting traffic through a malicious proxy server, there's more information about how the attack worked here.
OSX/Dok was targeting OS X users via an email phishing campaign. The best way to avoid falling foul to such an attempt in the future is not to respond to emails that require you to enter a password or install anything.
Back in February 2017 X-agent malware was discovered that was capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on your Mac.
The malware apparently targeted members of the Ukrainian military and was thought to be the work of the APT28 cybercrime group, according to Bitdefender.
In February 2017 researchers found the MacDownloader software lurking in a fake update to Adobe Flash. When the installer is run you'll get an alert claiming that there is adware on your Mac.
You'll be asked to click to "remove" the adware, and when you enter your password on your Mac the MacDownloader malware will attempt to transmit data including your Keychain (so that's your usernames, passwords, PINs, credit card numbers) to a remote server.
Luckily the threat seems to be contained for now: the remote server it the malware tries to connect is now offline.
The best way to avoid such attacks is to always check on Adobe's site to see if there is an update to Flash you should be installing.
The MacDownloader malware is thought to have been created by Iranian hackers and was specifically targetted at the US defence industry. It was located on a fake site designed to target the US defence industry (so likely not yourself). In this case the phishing attempt would have been activated via a Flash file, and since Apple has stopped Flash opening by default, again this is unlikely to have affected you.
Word macro viruses
PC users have had to contend with macro viruses for a long time. Applications, such as Microsoft Office, Excel, and Powerpoint allow macro programs to be embedded in documents. When these documents are opened the macros are run automatically which can cause problems.
Mac versions of these programs haven't had an issue with malware concealed in macros because since when Apple released Office for Mac 2008 it removed macro support. However, the 2011 version of Office reintroduced macros, and in February 2017 there was malware discovered in a Word macro within a Word doc about Trump.
If the file is opened with macros enabled (which doesn’t happen by default), it will attempt to run python code that could have theoretically perform functions such as keyloggers and taking screenshots. It could even access a webcam. The chance of you being infected in this way is very small, unless you have received and opened the file referred to (which would surprise us), but the point is that Mac users have been targeted in this way.
Mac users should still be fairly safe from macros thanks to a warning that appears on the screen should a user attempt to open a document containing macros.
According to a report in January 2017, Fruitfly malware had been conducting surveillance on targeted networks for possibly two years.
The malware captures screenshots and webcam images, as well as looking for information about the devices connected to the same network - and then connects to them.
Malwarebytes claims the malware could have been circulating since OS X Yosemite was released in 2014.
Apple is already detecting Firefly via own built-in anti-malware tool. Apple has all the malware definitions in its XProtect file which sits on your Mac, and everytime you download a new application it checks that none of those definitions are present. This is part of Apple's Gatekeeper software that blocks apps created by malware developers and verifies that apps haven’t been tampered with.
Back in April 2016 OSX/Pirrit was apparently hidden in cracked versions of Microsoft Office or Adobe Photoshop found online. It would gain root privileges and create a new account in order to install more software, according to Cybereason researcher Amit Serper in this report.
KeRanger is ransomware. Ransomware is, in general, a sub-category of malware that involves dodgy software sneaking itself on to your computer and then encrypting files against your wishes. You'll then be left with two apparent options: never be able to access those files again, or pay the 'ransom' to decrypt them. (We discuss how to remove Ransomware here.)
For a long time ransomware was a problem that Mac owners didn't have to worry about, but March 2016 saw the appearance of the first ever piece of Mac ransomware KeRanger, distributed along with a version of a piece of legitimate software: the Transmission torrent client.
Transmission has since updated to remove this malware (and Apple has taken steps of its own) but not before a number of unlucky users got stung.
The KeRanger attack runs from a file named OSX.KeRanger.A. The KeRanger file somehow snuck itself into the Transmission 2.90 update and would be installed alongside it. If you were unlucky enough to have downloaded and run Transmission 2.90, you would also run the KeRanger file.
Chances are you are safe, even if you do use Transmission: the KeRanger file would only have been present in the download on the Transmission website between 4-5 March.
Apple has since revoked the GateKeeper signature and updated its XProtect system (part of File Quarantine) to block KeRanger.
But if you are using Transmission, you must upgrade to the latest version, Transmission 2.92, immediately. You'll find more information about KeyRanger on the Transmission website.
Palo Alto Network's Claud Xiao and Jin Chen explain how KeRanger works:
"The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple's Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to be still under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their backup data.
"Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems."
In November 2016, and accelerating into the New Year, the security company Malwarebytes started documenting Mac-targeted denial-of-service attacks originating from a fake tech support website.
Like many Mac-targeted attacks, it depends on 'social engineering' or user error: you click a link in an email, and the malware is smuggled on to your Mac. This then triggers the attack.
There are two versions of the attack; the one you get depends on your version of macOS. Either Mail is hijacked and forced to create vast numbers of draft emails, or iTunes is forced to open multiple times. Either way, the end goal is to overload system memory and force a shutdown or system freeze.
Screenshot courtesy of Malwarebytes
(In fact, the real end goal is to get you to call a bogus Apple support number, whereupon you will presumably get charged to hear a fake solution by the people who caused the problem in the first place.)
You can avoid this issue, fortunately, by updating macOS: Malwarebytes suspects that Sierra 10.12.2 includes a patch for this, since up-to-date machines were not affected by the problem in testing.
SSL , Gotofail error
This caused issues for Mac users back in 2014. The problem was with Apple's implementation of a basic encryption feature that shields data from snooping. Most websites handling sensitive personal data use SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which establishes an encrypted connection between a server and a person's computer so that snoopers cannot read the traffic and extract information like credit card numbers or log-in credentials. If an attacker intercepts the data, it is unreadable.
However, Apple's validation of SSL encryption had a coding error that bypassed a key validation step in the web protocol for secure communications. There was an extra Goto command that hadn't been closed properly in the code that validated SSL certificates, and as a result, communications sent over unsecured Wi-Fi hotspots could be intercepted and read while unencrypted. This could potentially expose user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Criminals could also supply fake data that makes it appear an authentic web service has been cryptographically verified.
These kinds of attacks are known as a man-in-the-middle attack and it is a form of eavesdropping in which a hacker makes an independent connection between a client and its destination server. The hacker is then able to relay messages between them, making the client and server believe they are talking to each other over a private connection.
In order for this type of attack to be possible, the attacker would have to be on the same public network.
Apple quickly issued an update to iOS 7 and iOS 6, but took longer to issued an update for Mac OS X, despite Apple confirming that the same SSL/TSL security flaw was also present in OS X. Read more about the iPad and iPhone security flaw here.
Apple said it had a fix ready for OS X and would release it "very soon". The fix came late the following night.
For more information about how Apple protects your Mac from security vulnerabilities and malware read: Do Macs need antivirus software.