Despite Apple’s best efforts, Mac malware does exist, we describe some cases below. However, before you panic, Mac malware and viruses are very rarely found “in the wild”.
From time to time you will hear of big profile trojans, malware, and ransomware that is targeting the Windows world, very rarely is this a threat to Macs. For example, the worldwide WannaCry/WannaCrypt ransomware attack that hit back in May 2017 was only targeting Windows machines and therefore no threat to Macs.
Luckily Apple has various measures in place to guard against such threats. For example, macOS shouldn’t allow the installation of third-party software unless it’s from the App Store or identified developers. You can check these settings in macOS Ventura’s System Settings > Privacy & Security and scroll to the Security section, or, if you are using Monterey or older, go to System Preferences > Security & Privacy > General. You can specify whether only apps from the Mac App Store can be installed, or if you are happy to allow apps from identified developers too. If you were to install something from an unknown developer Apple would warn you to check its authenticity.
In addition, Apple has its own built-in anti-malware tool. Apple has all the malware definitions in its XProtect file which sits on your Mac, and every time you download a new application it checks that none of those definitions are present. This is part of Apple’s Gatekeeper software that blocks apps created by malware developers and verifies that apps haven’t been tampered with. For more information read: how Apple protects you from malware. We also discuss whether Macs need antivirus software separately.
In recent years malware on the Mac actually decreased, however, as you will see if you read on, Macs are not completely safe from attacks. Even Apple’s Craig Federighi has admitted there is a problem, saying in May 2021 that: “We have a level of malware on the Mac that we don’t find acceptable.” To stay safe, we recommend you read our best Mac security tips and our round-up of the best Mac antivirus apps, in which we highlight Intego as our top pick.
Another thing to note is that Apple’s own M-series chips that it has been using in Macs since November 2020 are considered more secure than Intel processors. However, malware, dubbed Silver Sparrow, was found on the M1 Mac soon after launch so even Apple’s own chips are not immune.
Curious to know what Mac viruses are out there, perhaps because you were thinking you might spy some suspicious processes or malware names in Activity Monitor on your Mac? In this article, we will endeavor to give you a complete list.
PROMOTION
Antivirus Deal: Intego Mac Premium Bundle
Get Intego’s Mac Premium Bundle X9 with antivirus, firewall, backup and system performance tools for just $29.99 (down from $84.99) for the first year.
Can Macs get viruses?
Before we run through the malware that’s been spotted on Macs we need to address this question. The word virus gets used a lot more than it should be – a more accurate word would be malware. A computer virus is so-called because it is capable of replicating itself and spreading. A virus is only one type of malware of which there are many, and unfortunately there have been cases on the Mac.
Malware includes the following:
Adware: Once this malicious software is installed on a Mac it will show advertisements and pop-ups for software – most likely for Potentially Unwanted Programs like those we will discuss next. According to Malwarebytes: “macOS’ built-in security systems have not cracked down on adware and PUPs to the same degree that they have malware, leaving the door open for these borderline programs to infiltrate”.
Potentially Unwanted Programs (or PUPs): Famous examples include Advanced Mac Cleaner, Mac Adware Remover, and Mac Space Reviver. These apps tend to hound users, which is part of their downfall, as due to the bad reputations of some of these apps the number of Macs affected has fallen, according to Malwarebytes. So it seems that people are at least wising up to these dodgy programs.
Ransomware: Ransomware has been detected on Macs – although the most recent case ThiefQuest / EvilQuest – didn’t actually work very well (in fact some would suggest it was pretending to be Ransomeware, but actually it was just transferring data). Either way, it was quickly identified and stopped.
Cryptocurrency miners: Criminals have attempted to use Macs to mine bitcoin and the like as in the case of LoudMiner (aka Bird Miner).
Spyware: Our data is incredibly valuable to criminals and spyware is designed to obtain this information. One example of this would be the Pegasus spyware that was known to have infected some iPhones. This was enough of an issue for Apple to announce that they will warn users of spyware attacks like Pegasus (more on that below).
Phishing: We’ve all received phishing emails and we all know the dangers, but as criminals get more sophisticated (and maybe even learn to spell) can we be sure we won’t fall for a phishing attempt to gain our data or login details? You may think that you will never fall for a phishing attempt, but could you be as confident about your parents?
Trojan Horse: A Trojan is a kind of malware that is hidden, or disguised in software. There are various kinds of Trojans. A Trojan could, for example, give hackers access to our computers via a ‘backdoor’ so that they can access files and steal your data. Essentially the name Trojan describes the method by which the malware gets onto your computer.
USB/Thunderbolt hack: There have also been cases where malware has been installed on Macs via a modified USB cable. There have even been security flaws associated with Thunderbolt which are discussed in this article: How to protect your Mac from the Thunderbolt security flaw. Also read: Can Macs be hacked?
It’s clear from these cases that there is a threat from malware on the Mac, and there are likely to be more cases in the future. Even the M1 Macs were targeted shortly after they were introduced in November 2020: the Silver Sparrow malware targeted both M1 Macs and Macs that use Intel processors.
One good thing is that Adobe ended support for Adobe Flash on 31 December 2020. At least this should reduce the number of cases of Mac malware disguised as the Flash Player arriving on the Mac.
Mac malware in 2023
Downfall vulnerability
When: August 2023. What: While not malware, this is a serious vulnerability affecting Intel processors, so if you have an Intel-based Mac from 2015 or later (or the iMac released in late 2015), your CPU is almost certainly affected by Downfall, a vulnerability that can exploit a flaw in the AVX vector extensions of every Intel CPU. It is likely that Apple will push out a macOS update to update the processor microcode. M-series Macs are unaffected. Read more here: Are Macs affected by that scary Intel ‘Downfall’ vulnerability?
Exploit HVNC
When: August 2023: What: New malware that can be used by hackers to remotely gain control of an insecure Mac. The malware uses HVNC (Hidden Virtual Network Computing) to gain access to and remotely control a Mac, without the target user being aware. Reported by Security firm Guards. More here: New malware can give a hacker control of your Mac.
ShadowVault
When: July 2023. What: ShadowVault can grab usernames and password, credit card info, data from cypto wallets, and more. Reported by Security firm Guards. More here: New ‘ShadowVault’ macOS malware steals passwords, crypto, credit card data
JokerSpy
When: June 2023. An attacker can gain control of the system and, via a backdoor, can run further exploits, monitor users’ behavior, steal login credentials or cryptocurrency wallets, according to Intego.
Atomic macOS Stealer (AMOS)
When: April 2023. What: targets macOS and steals important, private information, such as keychain and macOS user account passwords, system information, and files on the Desktop and Documents folder. AMOS is spread through unsigned disk image files (.dmg). Reported by Cyble Research and Intelligence Labs (CRIL). More here: New AMOS Mac malware targets passwords, personal files, crypto wallets.
RustBucket
When: April 2023. What: An AppleScript file that masquerades as a PDF Viewer application, activated if you view a particular PDF file with the app. Can only be activated if Gatekeeper is overridden. Reported by Jamf Threat Labs.
MacStealer
When: March 2023. What: The MacStealer malware can get passwords, cookies, and credit card data from Firefox, Google Chrome, and Brave browsers, including being able to extract the KeyChain database. Who: Macs running macOS Catalina or later, with either Intel or Apple M-series chips. For more information read: Scary ‘MacStealer’ malware goes after iCloud passwords and credit card data.
XMRig
When: February 2023. What: Crypto-mining software attached to pirated copies of Final Cut Pro that are downloaded from unauthorized distribution points on the internet. XMRig is actually a legitimate, open-source utility, but in this illegitimate use it is running in the background mining, which affects the performance of the Mac. Mined cryptocurrency is sent to the attacker’s wallet. The malware can avoid detection by Activity Monitor app by stopping running when Activity Monitor launches and relaunching when the user quits Activity Monitor. Apple says it has updated macOS’s Xprotect to catch this malware. Who: People who download pirated versions of Final Cut Pro using a torrent client. More here: Pirated copies of Final Cut Pro may infect your Mac.
Mac malware in 2022
Alchimist
When: October 2022. What: Provides a backdoor onto the target system. Targeting a vulnerability in a 3rd party Unix tool. Who: Very specific target as pkexec is rarely found on Macs.
Lazarus
When: August 2022. What: Malware disguised as job postings. Who: Targeting Coinbase users and Crypto.com.
VPN Trojan
When: July 2022. What: VPN app with two malicious binaries: ‘softwareupdated’ and ‘covid’.
CloudMensis/BadRAT
When: July 2022. What: Spyware downloader that uses public cloud storage services such as Dropbox, Yandex Disk and pCloud. Exploited CVE-2020-9934 which was closed macOS Catalina 10.5.6 in August 2020.
CrateDepression
When: May 2022. What: Supply chain attack with screencapture, keylogging, remote file retrieval. Who: Targeted the Rust development community.
Pymafka
When: May 2022. What: Hoping that users might mistype and download the malware instead of legitimate pykafka. Who: Targeting PyPI registry.
oRAT
When: April 2022. What: Distributed via a Disk Image masquerading as a collection of Bitget Apps. Who: Targeting gambling websites.
Gimmick
When: March 2022. What: Distributed as a CorelDraw file that was hosted on a Google Drive. Who: Targeting protest groups in Asia.
DazzleSpy
When: January 2022. What: Included code for searching and writing files, dumping the keychain, running a remote desktop and more. Read more here: Patched Mac malware sheds light on scary backdoor for hackers. Who: Targeting supporters of democracy in Hong Kong.
ChromeLoader
When: January 2022. What: Chrome browser extension that could steal information, hijack the search engine queries, and serve adware.
Mac malware in 2021
macOS.Macma
When: November 2021. What: Keylogger, screen capturer, screen capturer and backdoor. Who: Targetting supporters of pro-democracy activism in Hong Kong.
OSX.Zuru
When: September 2021. What: Trojan that spread disguised as iTerm2 app. Microsoft’s Remote Desktop for Mac was also trojanized with the same malware. Who: Spread via sponsored web links and links in the Baidu search engine.
XCSSET Updated
When: May 2021 (originally from August 2020). What: Used a zero-day vulnerability in Safari. See: macOS 11.4 patches flaws exploited by XCSSET malware. Who: Aimed at Chinese gambling sites.
XLoader
When: July 2021. What: The XLoader malware was one of the most prevalent pieces of Windows malware to have been confirmed to run on macOS. XLoader is a variant of Formbook, a program used to steal login credentials, record keystrokes, and download and execute files.
WildPressure
When: July 2021. What: New multi-platform version of Milum Trojan embedded in a Python file. Who: Targeting Middle East activists.
XcodeSpy
When: March 2021. What: A Trojan hidden in Xcode projects in GitHub had the potential to spread among the Macs of iOS developers. Once installed a malicious script runs that installs an “EggShell backdoor”. Once open the Mac’s microphone, camera and keyboard can be hyjacked and files can be send to the attacker. The malware was found in a ripped version of TabBarInteraction. Read more here: New Mac malware targets iOS developers. Who: Attack on iOS developers using Apple’s Xcode.
Silver Toucan/WizardUpdate/UpdateAgent
When: February 2021. What: Adload dropper that was notarized by Apple and used a Gatekeeper bypass.
Pirri/GoSearch22
When: February 2021. What: Based on Pirri and known as GoSearch22 infected Macs would see unwanted adverts. More information here: M1 Macs face first recorded malware.
Silver Sparrow
When: January 2021. What: Malware targeting Macs equipped with the M1 processor. Used the macOS Installer Javascript API to execute commands. According to Malwarebytes, by February 2021 Silver Sparrow had already infected 29,139 macOS systems in 153 countries, most of the infected Macs being in the US, UK, Canada, France and Germany. More details here: What you need to know about Silver Sparrow Mac malware.
Foundry
OSAMiner
When: January 2021 (but first detected in 2015). What: Cryptocurrency miner distributed via pirated copies of popular apps including League of Legends and Microsoft Office.
ElectroRAT
When: January 2021. What: Remote Access Trojan targeting multiple platforms including macOS. Who: Targeting cryptocurrency users.
Mac malware in 2020
GravityRAT
When: October 2020. What: GravityRAT was an infamous Trojan on Windows, which, among other things, had been used in attacks on the military. It arrived on Macs in 2020. The GravityRAT Trojan can upload Office files, take automatic screenshots and record keyboard logs. GravityRAT uses stolen developer certificates to bypass Gatekeeper and trick users into installing legitimate software. The Trojan is hidden in copies of various legitimate programs developed with .net, Python and Electron. We have more information about GravityRAT on the Mac here.
XCSSET
When: August 2020. What: Mac malware spread through Xcode projects posted on Github. The malware – a family of worms known as XCSSET – exploited vulnerabilities in Webkit and Data Vault. Would seek to access information via the Safari browser, including login details for Apple, Google, Paypal and Yandex services. Other types of information collected includes notes and messages sent via Skype, Telegram, QQ and Wechat. More information here.
ThiefQuest (aka EvilQuest)
When: June 2020. What: ThiefQuest, which we discuss here: Mac ransomware ThiefQuest/EvilQuest could encrypt your Mac, was Ransomware spreading on the Mac via pirated software found on a Russian torrent forum. It was initially thought to be Mac ransomware – the first such case since 2017 – except that it didn’t act like ransomware: it encrypted files but there was no way to prove you had paid a ransom and no way to subsequently unencrypted files. It turned out that rather than the purpose of ThiefQuest being to extort a ransom, it was actually trying to obtain the data. Known as ‘Wiper’ malware this was the first of its kind on the Mac.
Mac malware in 2019
NetWire and Mokes
When: July 2019. What: These were described by Intego as “backdoor malware” with capabilites such as keystoke logging and screenshot taking. They were a pair of Firefox zero-days that targeted those using cryptocurrancies. They also bypassed Gatekeeper. backdoor” malware
LoudMiner (aka Bird Miner)
When: June 2019. What: This was a cryptocurrency miner that was distributed via a cracked installer for Ableton Live. The cryptocurrency mining software would attempt to use your Mac’s processing power to make money.
OSX/NewTab
When: June 2019. What: This malware attempted to add tabs to Safari. It was also digitally signed with a registered Apple Developer ID.
OSX/Linker
When: May 2019. What: It exploited a zero-day vulnerability in Gatekeeper to install malware. The “MacOS X GateKeeper Bypass” vulnerability had been reported to Apple that February, and was disclosed by the person who discovered it on 24 May 2019 because Apple had failed to fix the vulnerability within 90 days. Who: OSX/Linker tried to exploit this vulnerability, but it was never really “in the wild”.
CookieMiner
When: January 2019. What: The CookieMiner malware could steal a users password and login information for their cyberwallets from Chrome, obtain browser authentication cookies associated with cryptocurrency exchanges, and even access iTunes backups containing text messages in order to piece together the information required to bypass two-factor authentication and gain access to the victim’s cryptocurrency wallet and steal their cryptocurrency. Unit 42, the security researchers who identified it, suggest that Mac users should clear their browser caches after logging in to financial accounts. Since it’s connected to Chrome we also recommend that Mac users choose a different browser. Find out more about CookieMiner Mac malware here.
Mac malware in 2018
SearchAwesome
When: 2018. What: OSX.SearchAwesome was a kind of adware that targets macOS systems and could intercept encrypted web traffic to inject ads.
Mac Auto Fixer
When: August 2018. What: Mac Auto Fixer was a PiP (Potentially Unwanted Program), which piggybacks on to your system via bundles of other software. Find out more about it, and how to get rid of it, in What is Mac Auto Fixer?
OSX/CrescentCore
When: June 2018. What: This Mac malware was found on several websites, including a comic-book-download site in June 2019. It even showed up in Google search results. CrescentCore was disguised as a DMG file of the Adobe Flash Player installer. Before running it would check to see if it inside a virtual machine and would looks for antivirus tools. If the machine was unprotected it would install either a file called LaunchAgent, an app called Advanced Mac Cleaner, or a Safari extension. CrescentCore was able to bypass Apple’s Gatekeeper because it had a signed developer certificate assigned by Apple. That signature was eventually revoked by Apple. But it shows that although Gatekeeper should stop malware getting through, it can be done. Again, we note that Adobe ended support for Adobe Flash on 31 December 2020, so this should mean fewer cases of malware being disguised as the Flash Player.
Mshelper
When: May 2018. What: Cryptominer app. Infected users noticed their fans spinning particularly fast and their Macs running hotter than usual, an indication that a background process was hogging resources.
OSX/Shlayer
When: February 2018. What: Mac adware that infected Macs via a fake Adobe Flash Player installer. Intego identifed it as a new variant of the OSX/Shlayer Malware, while it may also be refered to as Crossrider. In the course of installation, a fake Flash Player installer dumps a copy of Advanced Mac Cleaner which tells you in Siri’s voice that it has found problems with your system. Even after removing Advanced Mac Cleaner and removing the various components of Crossrider, Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed. Since 31 December 2020 Flash Player has been discontinued by Adobe and it no longer supported, so you can be sure that if you see anything telling you to install Flash Player please ignore it. You can read more about this incident here.
MaMi
When: January 2018. What: MaMi malware routes all the traffic through malicious servers and intercepts sensitive information. The program installs a new root certificate to intercept encrypted communications. It can also take screenshots, generate mouse events, execute commands, and download and upload files.
Meltdown & Spectre
Foundry
When: January 2018. What: Apple confirmed it was one of a number of tech companies affected, highlighting that: “These issues apply to all modern processors and affect nearly all computing devices and operating systems.” The Meltdown and Spectre bugs could allow hackers to steal data. Meltdown would involve a “rogue data cache load” and can enable a user process to read kernel memory, according to Apple’s brief on the subject. Spectre could be either a “bounds check bypass,” or “branch target injection” according to Apple. It could potentially make items in kernel memory available to user processes. They can be potentially exploited in JavaScript running in a web browser, according to Apple. Apple issued patches to mitigate the Meltdown flaw, despite saying that there is no evidence that either vulnerability had been exploited. More here: Meltdown and Spectre CPU flaws: How to protect your Mac and iOS devices.
Mac malware in 2017
Dok
When: April 2017. What: macOS Trojan horse appeared to be able to bypass Apple’s protections and could hijack all traffic entering and leaving a Mac without a user’s knowledge – even traffic on SSL-TLS encrypted connections. OSX/Dok was even signed with a valid developer certificate (authenticated by Apple) according to CheckPoint’s blog post. It is likely that the hackers accessed a legitimate developers’ account and used that certificate. Because the malware had a certificate, macOS’s Gatekeeper would have recognized the app as legitimate, and therefore not prevented its execution. Apple revoked that developer certificate and updated XProtect. OSX/Dok was targeting OS X users via an email phishing campaign. The best way to avoid falling foul to such an attempts is not to respond to emails that require you to enter a password or install anything. More here.
X-agent
When: February 2017. What: X-agent malware was capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on your Mac. Who: The malware apparently targeted members of the Ukrainian military and was thought to be the work of the APT28 cybercrime group, according to Bitdefender.
MacDownloader
When: February 2017. What: MacDownloader software found in a fake update to Adobe Flash. When the installer was run users would get an alert claiming that adware was detected. When asked to click to “remove” the adware the MacDownloader malware would attempt to transmit data including the users Keychain (usernames, passwords, PINs, credit card numbers) to a remote server. Who: The MacDownloader malware is thought to have been created by Iranian hackers and was specifically targetted at the US defence industry. It was located on a fake site designed to target the US defence industry.
Word macro virus
When: February 2017. What: PC users have had to contend with macro viruses for a long time. Applications, such as Microsoft Office, Excel, and Powerpoint allow macro programs to be embedded in documents. When these documents are opened the macros are run automatically which can cause problems. Mac versions of these programs haven’t had an issue with malware concealed in macros because since when Apple released Office for Mac 2008 it removed macro support. However, the 2011 version of Office reintroduced macros, and in February 2017 there was malware discovered in a Word macro within a Word doc about Trump. If the file is opened with macros enabled (which doesn’t happen by default), it will attempt to run python code that could have theoretically perform functions such as keyloggers and taking screenshots. It could even access a webcam. The chance of you being infected in this way is very small, unless you have received and opened the file referred to (which would surprise us), but the point is that Mac users have been targeted in this way.
Fruitfly
When: January 2017. What: Fruitfly malware could capture screenshots and webcam images, as well as looking for information about the devices connected to the same network – and then connects to them. Malwarebytes claimed the malware could have been circulating since OS X Yosemite was released in 2014.
Mac malware in 2016
Pirrit
When: April 2016. What: OSX/Pirrit was apparently hidden in cracked versions of Microsoft Office or Adobe Photoshop found online. It would gain root privileges and create a new account in order to install more software, according to Cybereason researcher Amit Serper in this report.
Safari-get
When: November 2016. What: Mac-targeted denial-of-service attacks originating from a fake tech support website. There were two versions of the attack depending on your version of macOS. Either Mail was hijacked and forced to create vast numbers of draft emails, or iTunes was forced to open multiple times. Either way, the end goal is to overload system memory and force a shutdown or system freeze.
KeRanger
When: March 2016. What: KeRanger was ransomware (now extinct). For a long time ransomware was a problem that Mac owners didn’t have to worry about, but the first ever piece of Mac ransomware, KeRanger, was distributed along with a version of a piece of legitimate software: the Transmission torrent client. Transmission was updated to remove the malware, and Apple revoked the GateKeeper signature and updated its XProtect system, but not before a number of unlucky users got stung. We discuss how to remove Ransomware here.
Older Mac malware
SSL, Gotofail error
When: February 2014. What: The problem stemmed from Apple’s implementation of a basic encryption feature that shields data from snooping. Apple’s validation of SSL encryption had a coding error that bypassed a key validation step in the web protocol for secure communications. There was an extra Goto command that hadn’t been closed properly in the code that validated SSL certificates, and as a result, communications sent over unsecured Wi-Fi hotspots could be intercepted and read while unencrypted. Apple quickly issued an update to iOS 7, but took longer to issued an update for Mac OS X, despite Apple confirming that the same SSL/TSL security flaw was also present in OS X. Who: In order for this type of attack to be possible, the attacker would have to be on the same public network. Read more about the iPad and iPhone security flaw here.
OSX/Tsnunami.A
When: October 2011. What: OSX/Tsnunami.A was a new variant of Linux/Tsunami, a malicious piece of software that commandeers your computer and uses its network connection to attack other websites. More information here.
OSX.Revir.A
When: September 2011. What: Posing as a Chinese-language PDF, the nasty piece of software installs backdoor access to the computer when a user opens the document. More here.
Flashback trojan
When: September 2011. What: Flashback is thought to have been created by the same people behind the MacDefender attack and could use an unpatched Java vulnerability to install itself. Read more here: What you need to know about the Flashback trojan. Who: Apparently more than 500,000 Macs were infected by April 2012.
MacDefender
When: May 2011. What: Trojan Horse phishing scam that purported to be a virus-scanning application. Was spread via search engine optimization (SEO) poisoning.
BlackHole RAT
When: February 2011. What: More of a proof-of-concept, but a criminal could find a way to get a Mac user to install it and gain remote control of the hacked machine. BlackHole was a variant of a Windows Trojan called darkComet. More information here: Hacker writes easy-to-use Mac Trojan.
For more information about how Apple protects your Mac from security vulnerabilities and malware read: Do Macs need antivirus software and How to protect your Mac against attack and disaster to avoid getting infected.