Mac Malware Getting Much Worse: How to Protect Yourself

SAN FRANCISCO — Macs will encounter more malware in 2017, and the Apple desktop operating system may not be prepared to handle it, two security experts said at the RSA Conference here last week.

"MacOS is just as vulnerable as any other [operating system]," said Cybereason researcher Amit Serper, who gave a presentation Feb. 17. "More and more threats are coming to Mac, and they're easy to exploit with social engineering."

Experts predict a rise in Mac malware and other security threats. Photo credit: Justin Sullivan/Getty

(Image credit: Experts predict a rise in Mac malware and other security threats. Photo credit: Justin Sullivan/Getty)

"I think we'll see more Mac malware in 2017," said Synack researcher Patrick Wardle, who spoke on Feb. 14. "Apple's [built-in protections] are all really good ideas, but they have limitations."

Quick Tips

Most recent Mac malware deceives the user into installing it, so Mac users need to be especially careful about installing free online tools, or pirated or "cracked" software. They should also run Mac antivirus software, but need to be wary of "scareware" pop-up ads that tells them their Macs are infected and need to be cleaned immediately.

To make up for macOS' security deficiencies, Wardle has created several Mac security tools, which can be downloaded for free from his website, Serper has posted his own research into OSX/Pirrit on Wardle's site.

"I've created free generic tools because I don't think users should have to pay for security," Wardle said.

Nevertheless, Wardle also recommended LittleSnitch, a Mac system firewall that costs $35. Serper recommended Suspicious Package, a free tool that lets you inspect Mac installer packages before you open them.

Weakened Defenses?

One of macOS' biggest weaknesses, in Serper's estimation, is that anyone with $99 and a credit card can get an Apple developer certificate and the ability to "sign" software. Signed malicious software will get right past Gatekeeper, the macOS application screener that by default prevents the installation of unknown files from the internet.

The next line of defense is XProtect, macOS' built-in antivirus software. But Wardle pointed out that XProtect uses outdated methods that detect only near-exact matches of known malware.

Then there's System Integrity Protection, which restricts access to the root account, the highest level of system control. Wardle said both he and German Mac-security researcher Stefan Esser had found several bypasses to this protection, not all of which had been fixed.

None of these protections will stand up to a good social-engineering attack, in which the Mac user is duped into installing malware and, if necessary, granting it root privileges. 

Rise in macOS Malware

At least four major pieces of Mac malware discovered in 2016 used social engineering to get into the system, Wardle said. Two of them, including the first (and so far only) example of Mac encrypting ransomware, had been written into corrupted versions of the BitTorrent application Transmission.

Another pretended to be a document converter. The last came bundled with a well-known scareware product. (Apple has patched macOS against all the individual pieces of malware described here.)

Likewise, OSX/Pirrit, the insidious piece of adware that Serper detailed in his presentation, came with purportedly cracked versions of Microsoft Office or Adobe Photoshop found online. During installation, the package asked the user for his or her administrative password, which the adware then used to gain root privileges and create a new, hidden system account that could install more software. The promised Office or Photoshop application was not actually part of the installer package.

Serper discovered real names belonging to fellow Israelis in Pirrit's code. Through LinkedIn, he found that they worked at a legitimate browser-ad company in Tel Aviv. The company denied involvement, but Serper later discovered that one of the alleged code writers took credit for Pirrit in his resume. 

Tom's Guide has reached out to Apple for comment, and will update this story when we receive a reply.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.