Mac Malware Reaches New Highs, Report Finds
More Mac malware has been seen in 2017 than in any year beforehand, a new report from information-security firm Malwarebytes says, and one of the company's security experts told Tom's Guide that Apple's current strategies may not be enough to stop the rising tide.
"It's really trivial to infect a Mac these days," said Thomas Reed, Malwarebytes' director of Mac and mobile research. "The only difference is that for historic reasons, there's so much more malware on Windows. That may not always be the case."
Reed said that Apple makes it too easy to digitally "sign" malware to get past macOS' Gatekeeper software, and that XProtect, the antivirus software built into Macs, is too weak to stop serious malware.
However, both Reed and the report said the most prevalent forms of unwelcome software plaguing Mac users are annoying-but-legal adware and browser hijackers — and Reed said Apple would risk lawsuits if it tried to do anything about those. To stop both kinds of attacks, Reed said, Mac users should use third-party antivirus software.
Two prominent Mac malware experts — Synack researcher Patrick Wardle and Cybereason researcher Amit Serper — said earlier this year that 2017 would likely be a banner year for Mac malware. Today’s Malwarebytes report seems to confirm those predictions.
"More new malware families have appeared this year than in any other previous year in Mac history, and the year is still far from over," the report says, singling out the ProtonRAT Trojan of a couple of months ago as the worst new threat.
"Our tracking of Mac malware has seen a more than 220 percent increase in malware so far in 2017 over 2016," Malwarebytes told Tom’s Guide in a statement. "This 220 percent figure is only considering the appearance of new malware, not the number of affected endpoints. In some cases, malware has been known to infect thousands of endpoints, in others only a handful, and for others it is not known how many endpoints were infected."
And yet, the report says, malware "is the least prevalent of all Mac threats. Adware and PUPs [potentially unwanted programs] are a much more significant problem that only began to be a real issue in 2013 and have been multiplying at an increasing rate since."
"Malware writers are finding that Mac users are a good target," Reed told us. "What they're targeting Mac users with is different from what they're targeting on Windows. There's not a huge volume of true malware — keyloggers, spyware, the really malicious stuff.
"What we're seeing more of is adware and PUPs. They tend to stick around longer — if you create a PUP, it's hard for Apple to say, 'That's a bad app, you shouldn't use it.'"
The reason Apple can't act against PUPs is that they're made and distributed by legitimate companies that would swiftly take legal action, Reed said.
"I like to think of PUPs as malware with lawyers," he said. "Apple is very quick to draw the line on malware and kill it at the OS level. But when it comes to PUPs, the line is more fuzzy, more gray. ... Apple could take a really hard stance, but these PUP companies tend to fight back. And Apple is a big juicy tempting target for a lawsuit."
Regarding real Mac malware, the heavy stuff may not come down for quite a while, to paraphrase Carl Spackler from the 1979 movie Caddyshack. But all the signs indicate that it's definitely coming.
"ProtonRAT was a really nasty one," Reed said. "A lot of Mac experts either almost got infected or did get infected."
He thinks that Apple's built-in defenses just aren't enough to ward off malware.
One issue is that Apple lets anyone with an email address and $99 get an Apple developer certificate, which can then be used to "sign" malware so that it's automatically accepted as safe by macOS' Gatekeeper software-screening feature.
"Almost every piece of malware or PUP has been signed," Reed said. "I know that Amit [Serper] was studying Vsearch malware, and that every time he referred a code signature to Apple, Apple would revoke the developer certificate, and another would appear within the hour."
However, Reed doesn't think Apple should tighten up the requirements for getting an Apple developer certificate.
"It might have impact on open-source developers, but they could do that," he said. "But then what do you do when someone provides a P.O. box for an address?"
Reed finds much more wrong with XProtect, the very basic antivirus software built into macOS, which only checks new software against a limited database of known malware identifiers.
“The biggest problem is that XProtect only activates once — and only if something is quarantined, such as being flagged by Gatekeeper," Reed explained. "It doesn't go back and check code again after it's been updated."
Tom's Guide has reached out to Apple for comment, and will update this story when we receive a reply.