Apple Macs are not immune to malicious attacks, but outside of some major nation-state efforts, bad actors continue to use adware as the method of choice to make money from infecting the macOS operating system, new research shows.
Jamf, a provider of tools to manage Apple computers and devices, found that two adware programs, Pirrit and Climpli, make up the lion's share of adware encountered in the last 30 days, while a third program, Shlayer, has dominated over the past year. Often the programs are installed during the installation of legitimate programs as part of an affiliate system, and because they are not outright malicious, they are not always detected by antivirus software.
While some companies don't prioritize adware as a threat, the programs are both invasive and capable, and they can disrupt work, says Jaron Bradley, Jamf's protect detections lead.
In addition, adware's ability to get on Mac systems does not bode well for users, who may be faced with more sophisticated attempts in the future, he says.
"Overall, we are seeing a lot of families of adware on macOS," Bradley says. "If these adware families are able to make it onto your system with these basic approaches to social engineering, then bigger threat actors are almost guaranteed to not have many problems as well."
The report highlights that Macs are not a major target for malware programs. Between Apple's built-in signature-based blocking technology, XProtect, and the company's developer-based notarization of apps, run-of-the-mill malware has had difficulty finding a foothold.
However, adware, which often operates in a gray area between aggressive marketing and outright fraud, is often allowed. Yet adware shows that there are vectors for infecting macOS systems, Jamf researchers say.
The three adware programs described by the firm all demonstrate capabilities that go beyond typical adware programs. In its efforts to push ads to the user, Pirrit — a program linked to an Israeli marketing firm — establishes persistence and gains root access to the Mac system. Shlayer, which drops adware on Mac systems, typically uses fake installers — such as those claiming to install the now deprecated Adobe Flash Player — to fool the user into dismissing any security warnings.
"Adware is still leading the market when it comes to malicious activity on the Mac," Stuart Ashenbrenner, Jamf's protect detections developer, stated during a briefing at the Jamf Nation User Conference. "Over the years, the threat to Mac users has grown as we have seen more sophistication from those who are attacking it."
Jamf found that the top 13 programs detected over the last 30 days were all adware. While the company did not specify the relative volume of adware versus malware seen by Mac users, security firm Malwarebytes found that malware accounts for about 1.5% of the total volume of detections on Mac systems in 2020, compared with potentially unwanted programs (PUPs) and adware, which accounted for 76% and 22% of all detections, respectively.
Still, attackers are looking to go beyond adware. Earlier this year, security firm Red Canary found an installer for a malware framework, dubbed Silver Sparrow, on 29,139 Mac endpoints. The developers for the malware program had already adapted the software to the Apple's latest M1 chip architecture and distributed the malware as a universal binary. The attack, however, was blunted by the fact that the proof-of-concept program had no payload.
In addition, how the malware initially got on those systems remains a mystery, according to Red Canary.
"We suspect that malicious search engine results direct victims to download the PKGs [Mac package format] based on network connections from a victim’s browser shortly before download," the company stated in a blog post analyzing the program. "In this case, we can’t be certain because we don’t have the visibility to determine exactly what caused the download."
Silver Sparrow put its code not in the installer but in the pre-check that installers frequently perform to make sure the software will run on the user's systems. Silver Sparrow used the installation check to install code.
Another program, XCSSET, steals sensitive user and developer information from applications on a Mac system. In addition to stealing passwords from browsers, XCSSET attempts to infect software projects using Apple's Xcode.
The improvements to attacks show that adware and malware developers are becoming more sophisticated in how they are taking on macOS's defenses and bypassing security checks during the notarization process, says Jamf's Bradley.
"Adware and malicious programs are still getting signed and notarized by Apple," he says. "It is still a problem that notarization has not fixed all of the ecosystem's security issues."