Skip to Content
© Pras Boonwong | Dreamstime.com
Safety & security

Most common Mac malware and how to stay safe

Malware targeting Macs has evolved from marginal to the mainstream over the years, and it is on the rise.

Windows users always need to be on the lookout for malicious programs. It was recently discovered that millions of PCs are infected with malware. Tap or click here to check your machine now. But according to security analysts, computers with macOS on board were hit nearly two times more than Windows PCs in 2019.

With the Mac market share increasing, the issue will most likely keep escalating. Let’s go over the most impactful forms of malicious code zeroing in on Mac machines right now to see the big picture.

Adware

Adware is by far the most common threat haunting the Mac ecosystem. These apps are nuisances that display redundant ads or hijack one’s browser and reroute it to junk services.

Two years ago, an adware strain called Shlayer took the world by storm due to its insanely effective propagation wave relying on booby-trapped Adobe Flash Player updates. It was detected on roughly 10% of all Macs. When inside a system, Shlayer redirects the victim’s default browser to fake search engines and quietly downloads second-stage malware payloads.

Cryptominers

A crypto miner’s goal is to gobble up a computer’s processing resources to mine cryptocurrency such as Bitcoin or Monero behind the user’s back. OSX/LoudMiner, a notable example of a Mac threat from this category, broke out in June 2019. Also known as Bird Miner, it was distributed via Trojan-infected copies of popular Virtual Studio Technology (VST) apps.

Tap or click here to find out how to stop your computer from being hijacked for crypto mining.

Scareware

Scareware pretends to detect numerous performance and security problems to manipulate a Mac user into purchasing a license key. A few notorious rogue programs from this cesspool are Advanced Mac Cleaner, Mac Auto Fixer and Mac Cleanup Pro. Tap or click here for ways to outsmart scareware.

Info-stealers

These sneaky apps mostly tailgate into Macs alongside harmless software promoted through multi-component installation packages. After gaining a foothold in a system, they amass sensitive data such as passwords, credit card numbers, and cryptocurrency wallet details. Then, this information is sent to a Command & Control (C2) server run by criminals.

ThiefQuest is a particularly tricky example of a Mac info-stealer. Discovered in July 2020, it employs ransomware-style tactics to smokescreen its data harvesting activity.

How Mac malware spreads

Whereas malware operators’ repertoire spans numerous tricks to ensnare users and deliver evil code to Macs, a handful of them stand out from the rest due to their prevalence in the present-day cybercrime arena. Below is a roundup of these top techniques in a threat actor’s handbook.

  • Bundling: This method is front and center in the vast majority of today’s Mac malware distribution schemes. Its logic is as follows: crooks wrap up dubious apps into seemingly legit software installers. This territory is dominated by scams pushing the likes of the above-mentioned Shlayer adware through the Adobe Flash Player update bundle. The default installation option includes an unwanted app, but the user is clueless about it. Interestingly, although this Adobe product is no longer officially supported in 2021, such campaigns are still going strong.
  • Pirated software: Installing cracked versions of mainstream applications can be a slippery slope because they often turn out to be malware in disguise. Threat actors can poison such software with malicious components so that freebie lovers get infected without realizing it.
  • “Your Mac is infected” hoax: This one capitalizes on Mac users’ gullibility. Its scare component comes down to deceptive alerts stating that the system is contaminated with viruses. Once the target is on the hook, a click on the ‘Scan Now’ button to learn more about the purported infection will instantly pull adware or scareware into the Mac behind the scenes. These spoofed warnings are usually shown on previously compromised sites or specially crafted malicious landing pages.
  • Contagious torrents: The huge popularity of P2P services like torrents has a flip side — it lures cybercriminals who seek to expand their victim audiences. Unsurprisingly, camouflaging malware as torrent files with some awesome video content is a common infection tactic. Also, crooks may inject harmful code into legit torrent client installers.

    An example of the latter scenario is the first-ever fully functional Mac ransomware called KeRanger in 2016. It was making the rounds via modified copies of the Transmission BitTorrent client.
  • Office macros: In an ideal world, Microsoft Office macros streamline routine, iterative tasks and thereby improve the user experience. In real life, though, these entities can become the building blocks of sneaky malware execution stratagems.

    The attack starts with a phishing email that contains a booby-trapped Word or Excel file. When opened, this document prompts the user to enable macros so that they can view the content. However, doing so will trigger a Visual Basic for Applications (VBA) script that, in turn, downloads malware. In a recent campaign, bad actors exploit a known vulnerability (CVE-2019-1457) to bypass the macOS sandbox and run dangerous macros with hardly any user interaction.
  • Phishing: This old-school infection method hinges on misleading emails that hoodwink Mac users into clicking a malicious link or downloading and launching a malware executable masquerading as a benign file. With social engineering at its heart, this hoax often uses pressure and feigns urgency. For instance, the message may state that the recipient has been charged for services they never bought. Lots of phishing emails in circulation today use the COVID-19 theme to make users slip up.

How to remove Mac malware

The following steps will help you get rid of malware if it has cropped up on your Mac. The caveat is that these pests may appear across different system directories under random names that have nothing to do with the symptoms you see. Therefore, you will have to follow your intuition in some scenarios or use a trusted automatic cleaning tool to purge the threat.

1. Quit the malicious process

Go to Utilities > Activity Monitor and try to pinpoint the wrongdoing executable. It could use up more CPU and RAM than the other processes and has a suspicious icon next to it. If you find the culprit, click the Stop icon (X symbol) in the toolbar and select Force Quit.

2. Uninstall the unwanted app

Click Go in the Finder bar and select Applications. Spot a recently added app you do not remember installing and move it to the Trash.

3. Get rid of sketchy LaunchAgents and LaunchDaemons

Select the Go to Folder option in the Finder’s ‘Go’ pull-down menu, type “~/Library/LaunchAgents,” and hit Enter. Check your LaunchAgents folder for objects that look out of place and delete them. Use the same folder navigation procedure to browse to Library/LaunchDaemons and ~/Library/Application Support directories. Scroll down and try to identify rogue items in these paths as well. Delete them once found.

4. Vanquish bad Login Items

Head to System Preferences > Users & Groups. Click the Login Items tab, find the unwanted entry in the list, and click the ‘minus’ sign to eliminate it. Be advised that you will need to click the padlock icon at the bottom of the screen and enter your admin password to put these changes into effect.

5. Remove a dubious configuration profile

Go to System Preferences > Profiles. This item might be missing if no device profiles are installed in the system. If so, it is safe to proceed to the next step. If the Profiles option is there, click it, select the rogue item in the list and click the minus symbol at the bottom to get rid of it.

6. Empty the Trash

Right-click the Trash icon in your Dock and select ‘Empty Trash’ in the context menu.

In conclusion

The now-debunked myth that Macs do not get viruses is still doing numerous users a disservice. While Apple’s defenses against harmful code are praiseworthy, they are not immaculate. Furthermore, the mantra about ultimate Mac protection out of the box makes people forget that they can be the weak link.

Most malware attacks happen because users download something they should not or click links they should avoid. That said, a little bit of proper online hygiene combined with basic security awareness and timely macOS updates will keep you on the safe side.

About the writer: David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Komando.com App background

Check out the free Komando.com App!

Get the latest tech updates and breaking news on the go, straight to your phone, with the Komando.com App, available in the Apple Store and Google Play Store.

Download Now