The state of Mac malware

The state of Mac malware

Mac users are often told that they don’t need antivirus software because there are no Mac viruses. However, this is not true at all, as Macs are affected by malware, and have been for most of their existence. Even the first well-known virus—Elk Cloner—affected Apple computers rather than MS-DOS computers. In 2018, the state of Mac malware has evolved, with more and more threats targeting these so-called impervious machines.


We have already seen four new Mac threats appear. The first of these, OSX.MaMi, was disclosed on our forums by someone who had had his DNS settings changed and was unable to change them back. The malware that was discovered on his system acted to change these settings and ensure that they remained changed. Additionally, it installed a new trusted root certificate in the keychain.

These two actions are highly dangerous. By redirecting the computer’s DNS lookups to a malicious server, the hackers behind this malware could direct traffic to legitimate sites, such as bank sites, Amazon, and Apple’s iCloud/Apple ID services, to malicious phishing sites. The addition of a new certificate could be used to perform a man-in-the-middle attack, making these phishing sites appear to be legitimate.

Thus, OSX.MaMi was likely interested in using phishing sites to steal credentials, although we don’t know what sites were targeted.

Dark Caracal

The second malware, called Dark Caracal, was discovered by Lookout via research into nation-state malware. Their report mentioned a new cross-platform RAT (remote access Trojan, aka a backdoor), which it called CrossRAT, which is capable of infecting Macs, among other systems. Written in Java, this malware provided some basic remote backdoor access to infected Mac systems. Dark Caracal was only a version 0.1, indicating that it is probably in an early stage of development.

Although Macs no longer come with Java preinstalled—and haven’t for years—it’s important to keep in mind that nation-state malware is often crafted and used with some knowledge of its targets in mind. The intend targets may have had reason to install Java, or it may have been installed via physical (or some other) access by a hacker targeting specific individuals.


The third piece of malware was named OSX.CreativeUpdate, and was originally discovered through a supply chain attack involving the MacUpdate website. The MacUpdate website was hacked, and the download links for some popular Mac apps, including Firefox, were replaced with malicious links.

These kinds of supply chain attacks are particularly dangerous, even capable of infecting savvy members of the development and security community, as was documented by Panic, Inc. in The Case of the Stolen Source Code.

Users who downloaded the affected apps from MacUpdate ended up with malicious lookalike apps. These apps would install malware on the system, then open the original app, which was bundled inside the malicious app, to make it appear normal. This helped cover up the fact that something shady was going on.

The malware, once installed, used the computer’s CPU to mine a cryptocurrency called Monero (similar to Bitcoin). This would result in the computer slowing down and the fans starting to run at high speed. These behaviors have a number of negative impacts: significant hits on the performance of the computer, reduced battery life, increased usage of electricity, and even potential for overheating the computer and damaging the hardware (especially if the fans were not working at peak capacity or the vents were clogged with dust).


And finally, the fourth and most recent piece of malware, called OSX.Coldroot, was a generic backdoor that provided all the usual access to the system that a typical backdoor does. However, some aspects of its installation fail on modern systems such as macOS 10.11, aka El Capitan, or later. And bugs in its development cause it to fail entirely on other systems. This backdoor didn’t seem like much of a threat, but could still be dangerous on the right OS.

Increasing volume of Mac malware

Mac malware saw an increase of over 270 percent between 2016 and 2017. Last year, we saw the appearance of many new backdoors, such as the now infamous Fruitfly malware. First documented by Malwarebytes, Fruitfly was used by an Ohio man to capture personal data and was even used to generate child pornography.

And yet, the biggest problem for Mac continues to be the rising threat of adware and potentially unwanted programs (PUPs). These kinds of threats have become pervasive in the last few years, even invading the Mac App Store to the degree that certain classes of software—such as antivirus or anti-adware software—in the App Store are almost entirely PUPs and cannot be trusted.

Unfortunately, many Mac users still have serious misperceptions about the security of macOS. Some will still tell people that “Macs don’t get viruses,” hiding the truth behind a technicality that no Mac malware quite fits the strict definition of what it means to be a “virus.” Others are under the mistaken belief that Macs are invulnerable, saying things like, “Macs are sandboxed, so they can’t be infected.”

In this environment, the average Mac user has no effective protection to prevent them from being infected with malware, much less the far more common threats posed by adware and PUPs. Worse, because they believe that there are no threats, they often do not exercise the same caution online that they would on a Windows machine.

Apple’s macOS includes some good security features that are helpful, but new malware easily bypasses them. In addition, they still don’t address the adware and PUP problem at all. Because of this, macOS cannot and should not be considered bulletproof.

We know that not everyone wants to run antivirus software on their Macs, but if you’re looking for additional protection, Malwarebytes for Mac can help. Business users can get a similar level of protection from Malwarebytes Endpoint Protection as well.


Thomas Reed

Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.