Despite Apple’s best efforts, Mac malware does exist, we describe some cases below. However, before you panic, Mac malware and viruses are very rarely found “in the wild”.
From time to time you will hear of big profile trojans, malware, and ransomware that is targeting the Windows world, very rarely is this a threat to Macs. For example, the worldwide WannaCry/WannaCrypt ransomware attack that hit back in May 2017 was only targeting Windows machines and therefore no threat to Macs.
Luckily Apple has various measures in place to guard against such threats. For example, macOS shouldn’t allow the installation of third-party software unless it’s from the App Store or identified developers. You can check these settings in macOS Ventura’s System Settings > Privacy & Security and scroll to the Security section, or, if you are using Monterey or older, go to System Preferences > Security & Privacy > General. You can specify whether only apps from the Mac App Store can be installed, or if you are happy to allow apps from identified developers too. If you were to install something from an unknown developer Apple would warn you to check it’s authenticity.
In addition Apple has its own built-in anti-malware tool. Apple has all the malware definitions in its XProtect file which sits on your Mac, and every time you download a new application it checks that none of those definitions are present. This is part of Apple’s Gatekeeper software that blocks apps created by malware developers and verifies that apps haven’t been tampered with. For more information read: how Apple protects you from malware. We also discuss whether Macs need antivirus software separately.
In recent years malware on the Mac actually decreased, however, as you will see if you read on, Macs are not completely safe from attacks. Even Apple’s Craig Federighi has admitted there is a problem, saying in May 2021 that: “We have a level of malware on the Mac that we don’t find acceptable.” To stay safe, we recommend you read our best Mac security tips and our round up of the best Mac antivirus apps, in which we highlight Intego as our top pick.
Another thing to note is that Apple’s own M-series chips that it has been using in Macs since November 2020 are considered more secure than Intel processors. However, malware, dubbed Silver Sparrow, was found on the M1 Mac soon after launch so even Apple’s own chips are not immune.
Curious to know what Mac viruses are out there, perhaps because you were thinking you might spy some suspicious processes or malware names in Activity Monitor on your Mac? In this article we will endeavour to give you a complete list.
Antivirus Deal: Intego Mac Premium Bundle
Get Intego’s Mac Premium Bundle X9 with antivirus, firewall, backup and system performance tools for just $29.99 (down from $84.99) for the first year.
Mac malware in 2023
When: March 2023. What: The MacStealer malware can get passwords, cookies, and credit card data from Firefox, Google Chrome, and Brave browsers, including being able to extract the KeyChain database. Who: Macs running macOS Catalina or later, with either Intel or Apple M-series chips. For more information read: Scary ‘MacStealer’ malware goes after iCloud passwords and credit card data.
When: February 2023. What: Crypto-mining software attached to pirated copies of Final Cut Pro that are downloaded from unauthorized distribution points on the internet. XMRig is actually a legitimate, open-source utility, but in this illegitimate use it is running in the background mining, which affects performance of the Mac. Mined cryptocurrency is sent to the attacker’s wallet. The malware can avoid detection by Activity Monitor app by stopping running when Activity Monitor launches and relaunching when the user quits Activity Monitor. Apple says it has updated macOS’s Xprotect to catch this malware. Who: People who download pirated versions of Final Cut Pro using a torrent client. More here: Pirated copies of Final Cut Pro may infect your Mac.
Mac malware in 2022
When: October 2022. What: Provides a backdoor onto the target system. Targeting a vulnerability in a 3rd party Unix tool. Who: Very specific target as pkexec is rarely found on Macs.
When: August 2022. What: Malware disguised as job postings. Who: Targeting Coinbase users and Crypto.com.
When: July 2022. What: VPN app with two malicious binaries: ‘softwareupdated’ and ‘covid’.
When: July 2022. What: Spyware downloader that uses public cloud storage services such as Dropbox, Yandex Disk and pCloud. Exploited CVE-2020-9934 which was closed macOS Catalina 10.5.6 in August 2020.
When: May 2022. What: Supply chain attack with screencapture, keylogging, remote file retrieval. Who: Targeted the Rust development community.
When: May 2022. What: Hoping that users might mistype and download the malware instead of legitimate pykafka. Who: Targeting PyPI registry.
When: April 2022. What: Distributed via a Disk Image masquerading as a collection of Bitget Apps. Who: Targeting gambling websites.
When: March 2022. What: Distributed as a CorelDraw file that was hosted on a Google Drive. Who: Targeting protest groups in Asia.
When: January 2022. What: Included code for searching and writing files, dumping the keychain, running a remote desktop and more. Read more here: Patched Mac malware sheds light on scary backdoor for hackers. Who: Targeting supporters of democracy in Hong Kong.
When: January 2022. What: Chrome browser extension that could steal information, hijack the search engine queries, and serve adware.
Mac malware in 2021
When: November 2021. What: Keylogger, screen capturer, screen capturer and backdoor. Who: Targetting supporters of pro-democracy activism in Hong Kong.
When: September 2021. What: Trojan that spread disguised as iTerm2 app. Microsoft’s Remote Desktop for Mac was also trojanized with the same malware. Who: Spread via sponsored web links and links in the Baidu search engine.
When: May 2021 (originally from August 2020). What: Used a zero-day vulnerability in Safari. See: macOS 11.4 patches flaws exploited by XCSSET malware. Who: Aimed at Chinese gambling sites.
When: July 2021. What: The XLoader malware was one of the most prevalent pieces of Windows malware to have been confirmed to run on macOS. XLoader is a variant of Formbook, a program used to steal login credentials, record keystrokes, and download and execute files.
When: July 2021. What: New multi-platform version of Milum Trojan embedded in a Python file. Who: Targeting Middle East activists.
When: March 2021. What: A Trojan hidden in Xcode projects in GitHub had the potential to spread among the Macs of iOS developers. Once installed a malicious script runs that installs an “EggShell backdoor”. Once open the Mac’s microphone, camera and keyboard can be hyjacked and files can be send to the attacker. The malware was found in a ripped version of TabBarInteraction. Read more here: New Mac malware targets iOS developers. Who: Attack on iOS developers using Apple’s Xcode.
When: February 2021. What: Adload dropper that was notarized by Apple and used a Gatekeeper bypass.
When: February 2021. What: Based on Pirri and known as GoSearch22 infected Macs would see unwanted adverts. More information here: M1 Macs face first recorded malware.
When: January 2021 (but first detected in 2015). What: Cryptocurrency miner distributed via pirated copies of popular apps including League of Legends and Microsoft Office.
When: January 2021. What: Remote Access Trojan targeting multiple platforms including macOS. Who: Targeting cryptocurrency users.
Mac malware in 2020
When: October 2020. What: GravityRAT was an infamous Trojan on Windows, which, among other things, had been used in attacks on the military. It arrived on Macs in 2020. The GravityRAT Trojan can upload Office files, take automatic screenshots and record keyboard logs. GravityRAT uses stolen developer certificates to bypass Gatekeeper and trick users into installing legitimate software. The Trojan is hidden in copies of various legitimate programs developed with .net, Python and Electron. We have more information about GravityRAT on the Mac here.
When: August 2020. What: Mac malware spread through Xcode projects posted on Github. The malware – a family of worms known as XCSSET – exploited vulnerabilities in Webkit and Data Vault. Would seek to access information via the Safari browser, including login details for Apple, Google, Paypal and Yandex services. Other types of information collected includes notes and messages sent via Skype, Telegram, QQ and Wechat. More information here.
ThiefQuest (aka EvilQuest)
When: June 2020. What: ThiefQuest, which we discuss here: Mac ransomware ThiefQuest/EvilQuest could encrypt your Mac, was Ransomware spreading on the Mac via pirated software found on a Russian torrent forum. It was initially thought to be Mac ransomware – the first such case since 2017 – except that it didn’t act like ransomware: it encrypted files but there was no way to prove you had paid a ransom and no way to subsequently unencrypted files. It turned out that rather than the purpose of ThiefQuest being to extort a ransom, it was actually trying to obtain the data. Known as ‘Wiper’ malware this was the first of its kind on the Mac.
Mac malware in 2019
NetWire and Mokes
When: July 2019. What: These were described by Intego as “backdoor malware” with capabilites such as keystoke logging and screenshot taking. They were a pair of Firefox zero-days that targeted those using cryptocurrancies. They also bypassed Gatekeeper. backdoor” malware
LoudMiner (aka Bird Miner)
When: June 2019. What: This was a cryptocurrency miner that was distributed via a cracked installer for Ableton Live. The cryptocurrency mining software would attempt to use your Mac’s processing power to make money.
When: June 2019. What: This malware attempted to add tabs to Safari. It was also digitally signed with a registered Apple Developer ID.
When: May 2019. What: It exploited a zero-day vulnerability in Gatekeeper to install malware. The “MacOS X GateKeeper Bypass” vulnerability had been reported to Apple that February, and was disclosed by the person who discovered it on 24 May 2019 because Apple had failed to fix the vulnerability within 90 days. Who: OSX/Linker tried to exploit this vulnerability, but it was never really “in the wild”.
When: January 2019. What: The CookieMiner malware could steal a users password and login information for their cyberwallets from Chrome, obtain browser authentication cookies associated with cryptocurrency exchanges, and even access iTunes backups containing text messages in order to piece together the information required to bypass two-factor authentication and gain access to the victim’s cryptocurrency wallet and steal their cryptocurrency. Unit 42, the security researchers who identified it, suggest that Mac users should clear their browser caches after logging in to financial accounts. Since it’s connected to Chrome we also recommend that Mac users choose a different browser. Find out more about CookieMiner Mac malware here.
Mac malware in 2018
When: 2018. What: OSX.SearchAwesome was a kind of adware that targets macOS systems and could intercept encrypted web traffic to inject ads.
Mac Auto Fixer
When: August 2018. What: Mac Auto Fixer was a PiP (Potentially Unwanted Program), which piggybacks on to your system via bundles of other software. Find out more about it, and how to get rid of it, in What is Mac Auto Fixer?
When: June 2018. What: This Mac malware was found on several websites, including a comic-book-download site in June 2019. It even showed up in Google search results. CrescentCore was disguised as a DMG file of the Adobe Flash Player installer. Before running it would check to see if it inside a virtual machine and would looks for antivirus tools. If the machine was unprotected it would install either a file called LaunchAgent, an app called Advanced Mac Cleaner, or a Safari extension. CrescentCore was able to bypass Apple’s Gatekeeper because it had a signed developer certificate assigned by Apple. That signature was eventually revoked by Apple. But it shows that although Gatekeeper should stop malware getting through, it can be done. Again, we note that Adobe ended support for Adobe Flash on 31 December 2020, so this should mean fewer cases of malware being disguised as the Flash Player.
When: May 2018. What: Cryptominer app. Infected users noticed their fans spinning particularly fast and their Macs running hotter than usual, an indication that a background process was hogging resources.
When: February 2018. What: Mac adware that infected Macs via a fake Adobe Flash Player installer. Intego identifed it as a new variant of the OSX/Shlayer Malware, while it may also be refered to as Crossrider. In the course of installation, a fake Flash Player installer dumps a copy of Advanced Mac Cleaner which tells you in Siri’s voice that it has found problems with your system. Even after removing Advanced Mac Cleaner and removing the various components of Crossrider, Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed. Since 31 December 2020 Flash Player has been discontinued by Adobe and it no longer supported, so you can be sure that if you see anything telling you to install Flash Player please ignore it. You can read more about this incident here.
When: January 2018. What: MaMi malware routes all the traffic through malicious servers and intercepts sensitive information. The program installs a new root certificate to intercept encrypted communications. It can also take screenshots, generate mouse events, execute commands, and download and upload files.
Meltdown & Spectre
Mac malware in 2017
When: April 2017. What: macOS Trojan horse appeared to be able to bypass Apple’s protections and could hijack all traffic entering and leaving a Mac without a user’s knowledge – even traffic on SSL-TLS encrypted connections. OSX/Dok was even signed with a valid developer certificate (authenticated by Apple) according to CheckPoint’s blog post. It is likely that the hackers accessed a legitimate developers’ account and used that certificate. Because the malware had a certificate, macOS’s Gatekeeper would have recognized the app as legitimate, and therefore not prevented its execution. Apple revoked that developer certificate and updated XProtect. OSX/Dok was targeting OS X users via an email phishing campaign. The best way to avoid falling foul to such an attempts is not to respond to emails that require you to enter a password or install anything. More here.
When: February 2017. What: X-agent malware was capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on your Mac. Who: The malware apparently targeted members of the Ukrainian military and was thought to be the work of the APT28 cybercrime group, according to Bitdefender.
When: February 2017. What: MacDownloader software found in a fake update to Adobe Flash. When the installer was run users would get an alert claiming that adware was detected. When asked to click to “remove” the adware the MacDownloader malware would attempt to transmit data including the users Keychain (usernames, passwords, PINs, credit card numbers) to a remote server. Who: The MacDownloader malware is thought to have been created by Iranian hackers and was specifically targetted at the US defence industry. It was located on a fake site designed to target the US defence industry.
Word macro virus
When: February 2017. What: PC users have had to contend with macro viruses for a long time. Applications, such as Microsoft Office, Excel, and Powerpoint allow macro programs to be embedded in documents. When these documents are opened the macros are run automatically which can cause problems. Mac versions of these programs haven’t had an issue with malware concealed in macros because since when Apple released Office for Mac 2008 it removed macro support. However, the 2011 version of Office reintroduced macros, and in February 2017 there was malware discovered in a Word macro within a Word doc about Trump. If the file is opened with macros enabled (which doesn’t happen by default), it will attempt to run python code that could have theoretically perform functions such as keyloggers and taking screenshots. It could even access a webcam. The chance of you being infected in this way is very small, unless you have received and opened the file referred to (which would surprise us), but the point is that Mac users have been targeted in this way.
When: January 2017. What: Fruitfly malware could capture screenshots and webcam images, as well as looking for information about the devices connected to the same network – and then connects to them. Malwarebytes claimed the malware could have been circulating since OS X Yosemite was released in 2014.
Mac malware in 2016
When: April 2016. What: OSX/Pirrit was apparently hidden in cracked versions of Microsoft Office or Adobe Photoshop found online. It would gain root privileges and create a new account in order to install more software, according to Cybereason researcher Amit Serper in this report.
When: November 2016. What: Mac-targeted denial-of-service attacks originating from a fake tech support website. There were two versions of the attack depending on your version of macOS. Either Mail was hijacked and forced to create vast numbers of draft emails, or iTunes was forced to open multiple times. Either way, the end goal is to overload system memory and force a shutdown or system freeze.
When: March 2016. What: KeRanger was ransomware (now extinct). For a long time ransomware was a problem that Mac owners didn’t have to worry about, but the first ever piece of Mac ransomware, KeRanger, was distributed along with a version of a piece of legitimate software: the Transmission torrent client. Transmission was updated to remove the malware, and Apple revoked the GateKeeper signature and updated its XProtect system, but not before a number of unlucky users got stung. We discuss how to remove Ransomware here.
Older Mac malware
SSL, Gotofail error
When: February 2014. What: The problem stemmed from Apple’s implementation of a basic encryption feature that shields data from snooping. Apple’s validation of SSL encryption had a coding error that bypassed a key validation step in the web protocol for secure communications. There was an extra Goto command that hadn’t been closed properly in the code that validated SSL certificates, and as a result, communications sent over unsecured Wi-Fi hotspots could be intercepted and read while unencrypted. Apple quickly issued an update to iOS 7, but took longer to issued an update for Mac OS X, despite Apple confirming that the same SSL/TSL security flaw was also present in OS X. Who: In order for this type of attack to be possible, the attacker would have to be on the same public network. Read more about the iPad and iPhone security flaw here.
When: October 2011. What: OSX/Tsnunami.A was a new variant of Linux/Tsunami, a malicious piece of software that commandeers your computer and uses its network connection to attack other websites. More information here.
When: September 2011. What: Posing as a Chinese-language PDF, the nasty piece of software installs backdoor access to the computer when a user opens the document. More here.
When: September 2011. What: Flashback is thought to have been created by the same people behind the MacDefender attack and could use an unpatched Java vulnerability to install itself. Read more here: What you need to know about the Flashback trojan. Who: Apparently more than 500,000 Macs were infected by April 2012.
When: May 2011. What: Trojan Horse phishing scam that purported to be a virus-scanning application. Was spread via search engine optimization (SEO) poisoning.
When: February 2011. What: More of a proof-of-concept, but a criminal could find a way to get a Mac user to install it and gain remote control of the hacked machine. BlackHole was a variant of a Windows Trojan called darkComet. More information here: Hacker writes easy-to-use Mac Trojan.
For more information about how Apple protects your Mac from security vulnerabilities and malware read: Do Macs need antivirus software.