If you are worried you have some kind of malware or virus on your Mac, we are here to help you figure out what's going on and, if necessary, clean up the damage - all for free. A lot of the websites offering advice on Mac malware removal are companies trying to sell your anti-virus solutions, which makes their tips somewhat biased, but here you can expect impartial advice.
We'll cover how to check for and remove malware from your Mac, getting rid of any viruses that might be lurking. We'll also explain why it's probably not a virus thanks to Apple's stringent protections in macOS, but that if it is, we'll let you know about the free and cheap options that can protect your from Mac from malware.
Do Macs get viruses?
It's often said that Apple products don't get malware or viruses. While this is true of devices based on iOS - such as the iPhone or iPad - it's not 100 percent true when it comes to Macs nowadays. There have been a few notable malware and virus reports in recent years, although a big difference compared to Microsoft Windows is that there's never been a Mac malware epidemic. In fact, since the release of OS X (now known as macOS), a tiny fraction of the total number of Macs in the world have ever been infected.
There are a few reasons why Mac viruses don't tend to take hold. One is the stringent protections built into macOS, another is the fact that it is exceptionally difficult for a virus to 'propagate' itself and spread to other Macs.
However, Macs have come under the spotlight for malware and virus creators. There are lots of nasty people out there who see Macs - and their users - as prime targets, and in this article we show how to stay safe and avoid or get rid of the malware and viruses they try to dump on your Mac. (We also recommend you read our best Mac security tips and our roundup of the best Mac antivirus apps, in which we recommend Intego as our top choice.)
Note that to an extent we are going to be mixing and matching the terms malware and virus but they are actually separate concepts. Malware tends to take the form of apps that pretend to do one thing, but actually do something nefarious, such as steal data. Viruses are small discrete bits of code that get on to your system somehow and are designed to be invisible. There are also other types of threat, such as ransomware and other phishing attempts, where an attempt is made to extract information that can be used to obtain money from you.
Whatever method is used, Macs and Mac users are certainly a target for unscrupulous people looking to make money.
How to check for malware on a Mac
So Mac viruses are rare. Often the scary malware you have heard about was discovered on some dodgy site you would never visit, and the only way to infect your Mac is to download something you shouldn't and then jump through hoops to actually install it. Other times the 'virus' is more of a proof of concept than a real threat.
However, every now and again malware or a virus does make it through into the wild (as in, onto computers being used in the real world). When this happens there could be a small risk of infection. With this in mind, a basic knowledge of security is good for any Mac users.
Here are just some of the symptoms of malware or viruses you might watch out for:
- Your Mac suddenly becomes sluggish or laggy in everyday use, as if there's some software running in the background chewing up resources;
- You find there's a new toolbar in your browser that you didn't install. Typically these toolbars claim to make it easier to search or shop;
- You find any web searches are unexpectedly redirected away from your usual search engine to some site you've never heard of (or the results appear in a page that's faked up to look like your usual search engine);
- All web pages are overlaid with adverts - even those where you don't expect to see adverts, such as Wikipedia;
- Going to your favourite sites doesn't always work, as if something is randomly redirecting you to spam advertising pages;
- Advertising windows pop up on your desktop, seemingly unconnected with any browsing you're doing or any program that's running.
If you get any of these symptoms then don't panic: they don't necessarily mean you have a malware or virus infection on your Mac. There's a thousand reasons why a Mac right run slowly, for example.
Additionally, some legitimate apps have unfortunately begun to add their own occasional popups for other of their products (although some people still refer to these apps as adware/malware, and refuse to have them on their system).
Here's one thing you definitely shouldn't do if you think your Mac is infected: don't Google a description of the problem and install the first thing you find that claims to be able to fix things. Sadly, a lot of software that claims to be able to fix Macs is in fact malware itself, or is simply fake and designed only to make you part with money. The crooks behind this software manipulate Google's search results so they appear at the top, and their apps can look incredibly convincing and professional.
Fake antivirus apps like MacDefender, which hit the headlines a few years ago, might look the part but are actually malware in disguise
If you think there is a virus, or some other threat, on your Mac, you may want to run a check - there are lots of apps offering to do this for you, and we will run through some of the best solutions below. However, before we do, you may find that Apple is already doing a good enough job of protecting you. Read on to find out what built-in protections there are.
How Apple protects you from viruses/malware
As we mentioned above, for several years now Apple has included invisible background protection against malware and viruses. We cover this in a separate article: Do Macs Need Antivirus Software? but here are the highlights:
Apple makes it difficult for you to download and install software that isn't from a known developer. The simplest way to install an app on your Mac is to purchase it from the Mac App Store, in which case Apple will have already verified it.
If the app you want isn't on the Mac App Store you may find it elsewhere, but before you can install the software you will be warned if the app is from an unidentified developer. It is possible to install the app, buy to may need to change your settings and jump through a few hoops, read: How to install an app from an unidentified developer for an explanation of what you need to do.
Soon everyone making software for the Mac will be required to have a 'certificate' from Apple before their software can be installed. This is another layer of protection for consumers. Apps will need to be 'notarised' as Apple said earlier in 2019: "To further protect users on macOS Catalina, we're working with developers to make sure all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple. This will give users more confidence that the software they download and run, no matter where they get it from, has been checked for known security issues."
Xprotect is Apple's built-in malware protection. The fact that Apple has built its own antivirus into macOS confirms that there is a threat, while at the same time, potentially, making antivirus apps obsolete. Here's what Xprotect does:
Xprotect will scan files you've downloaded and check them for known malware or viruses. If any are found you will be told the file is infected or damaged. The Xprotect system gives a warning when you download malware that it knows about, and tells you exactly what to do.
Xprotect has been very effective at halting the spread of Mac malware before it can even get started, and is yet another reason why malware or virus infections on a Mac are rare. Xprotect will even block older versions of legitimate software, such as Java or the Flash plugin, that have subsequently proven to be vulnerable to malware attack.
As good as Apple's protections are, they may not be enough. Unfortunately some times it takes Apple a few days (or longer) to respond to the latest threat. For that reason it is worth considering an additional antivirus tool to stay safe.
We have this advice about the best antivirus solutions for Mac users, including free and paid for options.
How to remove malware from a Mac
If despite all the protections Apple offers, and your own caution, you think your Mac is infected by malware of a virus, try these top ten steps to clean things up:
1. No more passwords
From this point forward don't type any passwords or login details in case a hidden keylogger is running. This is a very common component within malware.
Beware that many keylogger-based malware or viruses also periodically secretly take screenshots, so be careful not to expose any passwords by copying and pasting from a document, for example, or by clicking the Show Password box that sometimes appears within dialog boxes.
2. Keep (mostly) offline
As much as possible from this point onwards you should try and turn off your internet connection by either clicking the Wi-Fi icon in the menu back and selecting Turn Wi-Fi Off, or disconnecting the Ethernet cable if you're using a wired network.
If possible, keep your internet connection turned off until you're sure the infection has been cleaned up. This will prevent any more of your data being sent to a malware server. (If you need to download cleanup tools then this obviously might not be possible.)
3. Activity Monitor
If you know for sure you've installed some malware - such as a dodgy update or app that pretends to be something else - then make a note of its name, and then quit out of that app by tapping Cmd + Q, or clicking Quit in the menu.
Open Activity Monitor, which you'll find within the Utilities folder of the Applications list (or you can search for it in Spotlight by pressing Command + Space and typing Activity Monitor). Use the search field at the top right to search for the app's name. You might find that it's actually still running, despite the fact you quit it, so select it in the list and click the X icon at the top left of the toolbar and select Force Quit.
However, most malware authors are wise to this and will obfuscate their code so that it uses non-obvious names, which makes it almost impossible to uncover this way.
4. Shut down and restore
If you can, immediately shut down your Mac and restore from a recent backup, such as one made with Time Machine. (For alternatives to Time Machine, take a look at our roundup of the best backup software & services for Mac.) Obviously, this backup should be from a time before you believe your computer became infected.
After restoring the backup, be careful when rebooting not to plug in any removable storage such as USB sticks you had plugged in earlier when your computer was infected, or to open the same dodgy email, file or app. (Scan removable storage devices via an antivirus app on a Windows computer to remove the Mac malware - even though it's Mac malware, it will still be spotted by antivirus apps running on other platforms.)
5. Use Bitdefender
If you can't restore from a backup, open the Mac App Store and download the free-of-charge Bitdefender Virus Scanner. (If you are willing to spend a little cash then the paid-for version of Bitdefender is worth consideration, as are the top picks in our roundup of the best Mac antivirus apps.)
Once it's downloaded and installed, open the app and click the Update Definitions button, then once that's completed click the Deep Scan button. Follow the instructions to allow the app full access to your Mac's hard disk.
6. Credit-card details
If you believe your Mac was infected after opening a particular file or app, obviously you should delete that file permanently by putting it into the Trash, and then emptying the Trash.
If you handed over money at any point for the malware - such as if you paid for what appeared to be a legitimate antivirus app, for example - then contact your credit card company or bank immediately and explain the situation. This is less about getting a refund, although that might be possible. It's more about ensuring your credit card details aren't used anywhere else.
7. Clear cache
Again, assuming that you haven't been able to restore from a backup and have had to scan your Mac using Bitdefender, you should also clear your browser's cache.
In Safari this can be done by clicking Safari > Clear History, and then selecting All History from the dropdown list. Then click the Clear History button.
In Google Chrome this can be done by clicking Chrome > Clear Browsing Data, then in the Time Range dropdown box selecting All Time. Then click Clear Data.
8. Empty the Download folder
Drag the whole lot to the Trash, and then empty the Trash.
9. Change passwords
Once you're sure the infection has been cleaned up, change all your passwords. That's right, we really do mean all of them - including those for websites, cloud services, apps, and so on.
Inform your bank or financial institutions of the infection and seek their advice on how to proceed. Often at the very least they make a note on your account for operatives to be extra vigilant should anybody try to access in future but they may issue you with new details.
10. Reinstall macOS
Sometimes the only way to be sure you're clean of an infection is to entirely reinstall macOS and your apps from scratch after wiping the hard disk.
How to stop malware getting on to your computer
Typically malware or viruses get on to your computer in a handful of ways, as listed below. You can help diagnose whether you might have an actual infection by seeing if you've undertaken any of these steps recently:
As mentioned earlier, the malware looks like legitimate software, such as a virus scanner that you download in panic after believing yourself to be infected. Check for independent reviews of apps or ask for personal recommendations from others to avoid downloading this kind of thing.
This kind of malware might be downloaded by you, or it might arrive via email, or perhaps even arrive via an instant message.
Apple as in-built protections that should stop you installing this sort of thing. The company won't allow you to install software that isn't from a registered developer, for example, without first jumping through a few hoops. When you try to open such an app you'll see a warning that the application is from an unidentified developer. Of course, it's not always going to be the case that this is malware, so it is generally possible to open such software, but you will have to make some changes to your settings in order to do so as we explain here: How to open a Mac app from an unidentified developer.
There are also protections in place that should mean macOS's Gatekeeper technology that should recognise any malicious software and stop you from installing it - as long as it's not very new (it can take Apple a few days or weeks to address new malware). Should macOS detect a malicious app it will let you know and will ask you to move it to the Trash. Read more about Apple's built in virus protection here: How Apple protects your Mac from Malware.
To protect yourself we also recommend that you choose these Mac security settings.
Don't relax entirely in the comfort of knowing that Apple has your back, though. There are still ways that malicious software could fool you into installing it. Read on to find out more.
Sometimes malware or viruses might be disguised as an image file, word processing or PDF document that you open either without realising what it is, or out of curiosity to see what it is - perhaps upon finding a strange new file on your desktop, for example. (Today's top tip: DO NOT open files that suddenly appear unless you know what they are!)
The malware creator's technique here is simply to give the malware a fake file extension. Most of us can see straight through this, but it's surprising how effective an attack vector this can be.
Malware-loaded legitimate files
The malware gets on to your system via a flaw or security hole in your browser or other software, such as your word processor or PDF viewer; in this case an otherwise ordinary document or webpage you open contains hidden malware that then runs without you realising, or opens a hole in your system for further exploitation.
Fake updates or system tools
The malware looks like a legitimate update. Typically this is offered via a fake warning dialog box while you're browsing. Fake updates for the Adobe Flash Player browser plugin, or fake antivirus/system optimisation apps, are a particularly popular vector of attack.
Fake updates like this can look pretty convincing but only want to deliver malware on to your computer!
Fake technical help
You're phoned out of the blue from Apple or Microsoft, maybe even BT, and they tell you that they believe your computer is infected, so walk you through some steps to undo the damage - while all the time putting in place their own malware, of course.