Beware: Mac Malware Is on the Rise

Back to Blog

Beware: Mac Malware Is on the Rise

For the longest time, there has been an assumption amongst many Mac® users that their operating system of choice is secured against the malware threat. While there may have been some truth to this a few years back, it certainly isn’t the case anymore. Today, there are a growing number of active threats targeting macOS®. Perhaps more importantly, as the popularity of the platform grows, so does the amount of malware emerging from the shadows.

A Growing Market and Threat

According to the latest NetMarketShare figures, all macOS versions added together only account for 6% of the global market share for desktop OS installations. Microsoft® Windows® variants, however, total 91%. It doesn’t take a criminal mastermind to figure out why most malware targets Microsoft’s platform rather than Apple’s.

This doesn’t mean that vulnerabilities in Mac devices and the software that runs them—or runs on them—are not being exploited. They are, however, generally harder to exploit than Windows-based devices, simply because macOS (based upon Unix®) is highly sandboxed, making it difficult for malware to do real damage, even if it gains access to your device. Actually obtaining access to the device is harder, now that GateKeeper prevents anything other than Apple®-approved software from being installed by default for users of OS X Mountain Lion® and beyond.

Sneaking in Under the Radar

So, what is out there? Perhaps the most worrying, and certainly most indicative of the damage that a threat actor could cause, is Fruitfly. First reported by security researchers at the Malwarebytes Labs  back in January this year, the Fruitfly malware is thought to have been in the wild and undetected since as far back as 2014.

That it appears to have been used in a niche and narrow attack pattern—the January discovery was targeting biomedical science research centers—could be why it has remained undetected for so long. Certainly the unsophisticated technique of using a hidden file and a launch agent would make it relatively easy to both detect and remove. Indeed, it was unusual network traffic that led to the infected machine being analyzed in this case, and researchers quickly found the culprit.

Interestingly, all the samples that had been observed by Malwarebytes researchers were installed in “user space” running in a standard user account. The age-old advice of being protected by not running as an admin account does not appear to apply here.

The Curse of Fruitfly

Apple has already patched against Fruitfly, but it does show how Mac malware can be used successfully. Whether Fruitfly was deployed by state-sponsored actors or not is still open to debate, but it’s almost certain it was intended as a commercial espionage tool to gather intelligence on scientific research in the West.

And then there is Fruitfly 2, the rather sinister sequel. Reports suggest that hundreds of machines have been infected with this variant, spying on users through their webcam and enabling the attacker to be alerted when a victim is active. The researcher who uncovered this latest in-the-wild Fruitfly variant, former NSA analyst Patrick Wardle, described its arrival as likely being for “perverse reasons.”

Word Macros Still a Threat on Mac

We have also seen recent examples of that scourge of the Windows platform—Microsoft Word .doc file macros—moving into the Mac realm. Sure, like so many malware threats, this requires the user to first be fooled into opening the document and then to ignore a security warning about the dangers of editing a downloaded .doc file. In the case of the infected US Allies and Rivals Digest Trump’s Victory document, it was likely aimed at specific targets as part of an Advanced Persistent Threat from state-sponsored actors.

Assuming the victim opened the document and Word was configured to allow macros, it would then have downloaded and decrypted its payload using a hard-coded key. In this case, this appears to have been extracted from an open-source Mac exploit framework. Although the download site no longer contained the payload when it was finally discovered, that framework enables persistent threats such as password and keychain encryption key extraction.

Research by AVTest looking at malware across 2016 and into Q1 of 2017 shows Mac malware infections increasing by 370% from 2015. Even more intriguing is the number of malware programs targeting Mac users: in 2015, AVTest reported 819 threats aimed at macOS users. The 2016 figures show 3,033 malware samples—still far less than the millions that target the Windows platform, sure, but strong evidence of growth in the Apple criminal ecosystem.


Davey has been writing about IT security for more than two decades, and is a three-times winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious ‘Enigma’ award for his ‘lifetime contribution’ to information security journalism in 2011.  You can follow Davey on Twitter® at @happygeek

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Blog