For Malware Developers, Mac Moves From Safe Zone To Target Zone

Growth of mobile devices, shortage of strong defenses make Apple look appetizing to authors of malicious code

4 Min Read

Security experts weren't all that surprised when they discovered Mac Defender, a fake antivirus package that actually carries malware, on the Macintosh platform last month. After all, the MacOS platform is becoming a lot more popular, particularly in the mobile world.

But when a new version of MacDefender appeared last week -- just a few weeks after the first version had appeared -- many experts turned their heads. The rapid evolution of new malicious code, long a mainstay of Windows malware, apparently is now becoming a reality in the Mac world as well.

Over the Memorial Day weekend, Apple issued a security update that promises to remove all versions of Mac Defender. But experts say the race between malware developers and Apple system defenders has only just begun.

"For a long time, Apple users have had a false sense of security that the Mac couldn't get malware," notes Andy Hayter, anti-malcode manager at ICSA Labs, which does security product testing and certification. "The antivirus vendors haven't been focused on it, because there wasn't much activity. But apparently, the Mac has now reached critical mass."

With the growing use of Apple devices such as the iPhone and the iPad in the mobile world -- and with the growing diversity of browsers and applications in the Windows world -- the Mac is beginning to look like just another fertile target for malware authors, experts say.

"We have certainly seen the exploit kit scripts become more complex as the Windows world has begun serious fragmentation on the browser side," says Chris Larsen, senior malware researcher at Blue Coat Systems, which makes network security and anti-malware tools.

Malware authors are finding that with the evolution of browsers such as Chrome, Opera, and Firefox, writing a new exploit is no longer a Windows-based, one-size-fits-all proposition, Larsen observes. "The bad guys are in a mode where they need to manage a wide variety of exploits anyway, so adding Mac and Linux attacks isn't as big a leap as it used to be."

In fact, from a malware writer's perspective, there might actually be more commonality among some Mac and mobile application environments than there is currently in Windows, notes Neil Daswani, CTO of Dasient Inc., an anti-malware service provider. The open source browser engine Webkit, which has become increasingly popular in the last year or two, provides a common point of attack on multiple environments, including the Mac.

"WebKit is the engine behind Safari, and it's used on the iPhone as well," Daswani observes. "It's also the engine for Chrome and Android, which makes it a great starting point [for writing malware]."

In a blog last week, McAfee researcher Craig Schmugar posted a chart that shows dozens of new and unique Mac OS X malicious binaries appearing during the month of May, outnumbering all of the Mac-based malware detected in the previous four months of the year.

"Is this merely a short-term blip on the radar or the beginnings of a trend for Mac threats? Time will tell," Schmugar writes. "However, rogue security programs in general are generating revenues of hundreds of millions of dollars a year for the bad guys, a powerful incentive. Furthermore, ZDNet estimates that 60,000-125,000 customers have called Apple support this month about such malware. Of course, only a fraction of those infected would actually pick up the phone, so the problem is likely much larger."

Phil Blank, a security analyst at Javelin Strategy & Research, says the growth of Mac-based malware is just one example of the multi-dimensional approach that attackers are adopting toward new exploits.

"We see cybercriminals gathering knowledge and then using it to create new and better attacks," Blank says. "The Sony attacks were a good example -- the bad guys got in and stole the login and password information, then they went back and used that data to launch more exploits. You can expect more attacks that are multidimensional, and the Mac will be one part of that."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights