Hackers now spreading Mac malware via fake browser updates — don’t fall for this

MacBook Pro 2023
(Image credit: Future / Apple)

Even the best MacBooks can come down with a nasty malware infection if you’re not careful online. To that end, hackers have repurposed a social engineering campaign that was previously exclusive to Windows to infect Apple computers with Mac malware.

According to a new blog post from the cybersecurity firm Malwarebytes, the popular Atomic Stealer malware is being used in a new campaign which uses fake browser updates to trick unsuspecting users into infecting their own devices with malware.

While we recently saw Atomic Stealer used to infect Macs through malicious ads, this new campaign is a bit different as it uses compromised websites to distribute these fake browser updates. First discovered by security researcher Randy McEoin back in August and dubbed ClearFake, this campaign has since gone through a number of upgrades including using smart contracts to build the redirect mechanism used to take potential victims to malicious sites.

Here’s everything you need to know about ClearFake and what you need to look out for if you’re a Mac user that’s worried about falling victim to malware.

Just a few days ago on November 17, another security researcher named Ankit Anubhav observed that ClearFake was being distributed to Mac users in addition to the best Windows laptops.

In these attacks, clicking on a malicious link distributed through phishing emails or even on social media posts takes unsuspecting Mac users to a page impersonating Apple’s official download portal for Safari. However, as many Mac owners use Chrome instead of Safari, the hackers behind this campaign have also developed a fake portal for Google’s browser too.

If you click on either the “Download” button on the fake Safari page or the “Update Chrome” button on the fake Chrome page, a DMG file claiming to be a browser update is downloaded onto your Mac. Clicking on this file and launching it leads to a text box which asks for your administrative password. If you’re foolish enough to give it away that easily, the Atomic Stealer malware then gains full access to your Mac.

From here, the malware can steal your browsing data, cookies, passwords, credit card numbers and other sensitive data stored on your Mac which is sent back to the hackers behind ClearFake. Besides committing fraud, this information can even be used to steal your identity.

How to stay safe from fake browser updates and Mac malware

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

Fake browser updates like the ones described above have been a thorn in the side of Windows users for years now. However, as Macs have become more popular, hackers have shifted their focus from going after computers running Windows to those that run macOS.

This means you need to be extra careful when updating your browser and other Mac apps. Updating Safari is done through the Software Update menu which you could find by clicking on the Apple menu and then heading to System Preferences. If you prefer Google Chrome, here’s everything you need to know about how to update Chrome which can be done directly through Google’s browser.

Under no circumstances should you download or install any updates from a website claiming your browser is out of date, as neither Apple nor Google deliver updates to their users this way. In fact, if you see such a warning, you should steer clear of it entirely as hackers are most likely behind it.

For additional protection and to avoid phishing sites altogether, you should also consider using one of the best Mac antivirus software solutions. Sure, your Mac comes with built-in antivirus software in the form of xProtect but paid antivirus programs are updated more regularly and often contain useful extras like a VPN or a password manager.

In a statement to Tom’s Guide, senior director of threat intelligence at Malwarebytes,  Jérôme Segura provided further insight on how to stay safe from Atomic Stealer and other online threats targeting your Mac, saying:

"We have seen an increase in the distribution of Atomic Stealer, a piece of malware that targets Macs, in particular via malvertising campaigns and now via compromised sites. The lure is classic social engineering, redirecting victims to a decoy page pretending to be a browser update. Immediately after installing it, the malware will steal passwords, crypto wallets, and sensitive files. The best defense against this threat is to block the malicious redirects that are happening on hacked sites, preventing the fake update from being downloaded."

We’ll likely continue to see more malware strains targeting Macs which is why it may be time to retire the idea that Macs are safer from Windows machines once and for all.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.