Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:50 AM

Mac Attackers Remain Focused Mainly on Adware, Fooling Users

Despite reports that Macs have encountered more threats than Windows systems, the platform still sees far fewer exploits and malware - including ransomware.

The year 2020 kicked off with reports that Mac cyber threats had taken off, with machines encountering twice as many threats as Windows systems. But as the year came to a close, the average user of the Mac OS continued to see fewer malware and ransomware threats than Windows users, security experts say.

In February of 2020, endpoint security firm Malwarebytes reported that its Mac users encountered about twice as many "threats" as Windows users. Those threats, however, consisted mainly of potentially unwanted programs (PUPs) and adware, not malware.

Related Content:

A Rogues' Gallery of MacOS Malware

How Data Breaches Affect the Enterprise

New From The Edge: 5 Email Threat Predictions for 2021

While the data for the entire year has not been fully analyzed, the trend seems likely to continue, says Thomas Reed, director of Mac and mobile for Malwarebytes.

"On Windows, we have all sorts of exploits that happen—it is a much more common thing on the Windows side to, say, visit a website and suddenly your machine is infected," he says. "That really does not happen on the Mac OS."

Apple has typically benefited from its minority marketshare among desktop and laptop systems as well as a more tightly controlled ecosystem. Binaries typically must come from either the Apple App Store or a recognized developer, for example, to avoid requiring the user to specifically allow the program to install, a feature more restrictive than the AppLocker policy on Microsoft Windows.

Not Immune, Though
However, Apple's operating systems—both Mac OS and iOS—are certainly not immune to attacks.

A recent report by The Citizen Lab at the University of Toronto underscored that the commercial sale of zero-click exploits in iMessages, for example, continues to allow governments to buy access to target dissidents. Now, malware families that have previously only targeted Windows, and sometimes Linux, are also being ported to target Macs, says Ian Davis, a senior threat researcher at BlackBerry.

"Historically MacOS threats mainly centered around adware and trojanized downloaders of well-known software," he says. "While these less-than-lethal families are still the majority of encountered samples, advanced attacks and toolsets are now being developed and deployed along with their counterparts for Windows and Linux."

Overall, the sophistication of MacOS threats is increasing, the two researchers say. Previously encountered families on Windows or Linux are also now targeting MacOS systems. In 2020, the community saw increased cases of ransomware, botnet campaigns, and information-stealing backdoors in MacOS environments.

Mac User = The Vulnerability
While at least a quarter of the threats encountered by Windows systems are malware, less than 1% of those encountered by Mac systems are considered malware, Malwarebytes stated in its February report. Instead, attackers targeting the Mac look to fool the user into taking the necessary steps to allow malware to run. 

The tactics underscore that the user has become the most significant vector for running dangerous code on systems, and so companies should make sure to train Mac users to be more aware of security threats, says Blackberry's Davis.

"Users should exercise caution downloading or running software from untrusted sources and granting any added permissions, regardless of their chosen operating system or architecture," he says. "Threats continue to largely rely on users running the executable and/or granting administrator rights during execution rather than making use of exploits to escalate privileges and obtain persistence."

An interesting side effect of Apple's focus on tools to strengthen user privacy is that attackers are often blocked from accessing data on Macs, notes Malwarebytes' Reed. An attacker that wants to access to the user's address book, for example, will need to gain specific rights—an action that gives the user another attempt to recognize an attack. 

"Because of some of the privacy protections that apple is putting in place, in order to do that, I have to figure out a way to trick the user into giving me access into all the protected data locations on the system, such as Calendars, Addresses," he says.

"Mac OS is far from invulnerable when it comes to the attacker's perspective," says Malwarebytes' Reed. "I am always telling people at conferences—somewhat facetiously—that I'm disappointed in what some of the Mac malware does, (but) as long as you know that your target will fall for what you are doing, then why bother with something sophisticated."

Meanwhile, attackers overall are upping their game, and those developing malware for Macs are continuing to incorporate tactics pioneered by malware families on Windows and Linux, BlackBerry's Davis notes.

"The old adage that MacOS is not susceptible to malware is far from the truth and the gap between Windows and MacOS threats is closing," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).