Apple Mac devices, while largely considered safer than their Windows and Android counterparts, are vulnerable to a growing number of malicious applications.
More Mac malware was seen in Q2 than the entirety of 2016, report researchers at Malwarebytes, which today published a report on Mac and Android threats. Mac malware families hit an all-time high in 2017, with more appearing this year than any previous year.
"Mac users typically think they're safe, that Macs don't get viruses, and they're being proven increasingly wrong," says Thomas Reed, director of Mac and mobile for Malwarebytes. "The number is much smaller than on Windows, but this is a very concerning trend we're seeing on the Mac," he adds.
Christiaan Beek, lead scientist and principal engineer for McAfee, agrees Mac malware has increased overall but that trends tend to shift as Apple catches and addresses threats.
"With Mac malware, it goes up and down," Beek says. "Apple's really good at catching malicious apps in their stores … if it's discovered, it's quickly discovered and quickly solved."
Beware of the App Store
Threats like ransomware are still rare on Macs, researchers report. The most significant problems are adware and potentially unwanted programs (PUPs), which began to ramp up in 2013 and have been multiplying since. Despite vetting processes and safety settings, the App Store is not immune to malicious applications.
"If you go into the Mac App Store and search for adware and antivirus, most stuff you find will be junk software that doesn't do what it claims to do," says Reed. "The primary goal is to get the user to purchase an app or service they really don't need and doesn't fulfill the promises it makes."
He cites the example of Proton, a remote access Trojan (RAT) targeting macOS in 2016. Proton is a backdoor developed to exfiltrate password data from sources including macOS keychain, 1Password vaults, and browser auto-fill data. Users were hit with the RAT when they downloaded open-source video conversion tool HandBrake.
The emergence of Proton, which affected consumers and experts alike, was a wake-up call for Mac users to be careful about what they download.
PUPs are difficult to handle because "it's like malware with lawyers," says Reed. There are companies behind the malicious apps on the App Store, he explains, and detecting PUPs can lead to complicated legal matters with businesses developing the software.
"Apple has its own built-in antimalware features, but they don't seem to want to poke at PUPs and adware until they really cross the line," he adds. For example, Apple blocked a form of Genio adware when it used a system vuln to download browser extensions on victims' computers.
Who are the Mac attackers?
While the amount of Mac malware is "a drop in the bucket" compared with Windows threats, as Reed says, it's worth taking a closer look at who might be targeting Mac devices and why.
"Honestly, it takes time to write a nice piece of malware for Mac," says Beek, adding that most cybercriminals prioritize mass distribution and quick, fast cash. "Mac is still not their interest," he adds. Mac exploits are also expensive, selling for up to $40K on the Dark Web.
Threat actors who target Macs likely aren't looking for money, he continues, but user data or access. "Mostly what we'd see is a backdoor on the Mac that would try to snoop on you by activating a microphone or keylog strokes, or try to activate a camera."
State-sponsored attackers and governments are looking into Mac exploits and backdoors, says Beek. These actors can afford to develop Mac malware or purchase it online, and they are typically those looking for backdoors to gain access to victims' machines.
Macs are getting more affordable but still pricey, and people who use Macs in the enterprise are more likely to be nation-state targets. Executives, researchers, developers, and system administrators have high levels of access and appeal to actors seeking corporate data.
Beek anticipates we'll see a slight increase in Mac malware in 2018 as Apple continues to improve its security and attackers explore ways to work around it. Reed also expects an increase, particularly with respect to the amount of PUPs populating the App Store.
"Attackers are starting to realize Macs are not invulnerable - they are attackable," says Reed. "So they're trying new things."