Skip to main content

Macs Being Attacked by Windows Malware

Look out, Mac users! Your machines are under attack -- from Windows malware.

Hey, remember us? Credit: Apple

(Image credit: Hey, remember us? Credit: Apple)

Researchers from Trend Micro yesterday (Feb. 11) said in a blog posting that they'd found an active strain of Mac malware that got past the Gatekeeper program built into macOS by simply being a Windows application, or "executable" in technical terms.

The Windows malware comes hidden in pirated copies of popular Mac shareware programs found on torrent sites. It uses a widely available software-compatibility framework to run on Macs, then gathers system information and tries to install more Mac malware and adware. The Windows malware has already infected Macs in the United States, the United Kingdom, Australia and other countries.

MORE: Best Mac Antivirus Software

You can avoid this threat by not downloading pirated software and by installing third-party Mac antivirus software that checks for Windows malware, such as Kaspersky Internet Security for Mac, Avast Free Mac Security or Bitdefender Antivirus for Mac.

We've asked Apple for comment, and will update this story if we receive a reply.

MacOS' Gatekeeper is good at screening out potentially dangerous Mac software, but it doesn't check Windows executables. Yet Apple may have overlooked Mono, a 15-year-old software framework that lets Windows software run on Unix-based software like Linux, Android and macOS.

Some bad guys had the bright idea of sticking Windows "dropper" malware inside Mac shareware along with enough of the Mono framework to made sure it ran adequately on a Mac. A dropper is an advance party for further infection -- it gets basic system information and then tries to pull down more malware.

Trend Micro found the Windows dropper hidden in corrupted copies of Paragon NTFS (which lets Macs write files to Windows-formatted drives), Wondershare Filmore (a video-editing tool), LennarDigital Sylenth1 (a virtual music synthesizer), Traktor Pro 2 (DJ software) and LittleSnitch (a firewall for Macs). If you've recently installed pirated versions of any of those, you may be infected.

The researchers got the Windows dropper to run just fine on a Mac, watching as it sent a system profile (including the Mac's serial number and a list of all other installed apps) to a remote server and then as it downloaded adware and a fake Adobe Flash Player. But interestingly, the dropper wouldn't run on a PC because it was missing some support files.