A Rogues' Gallery of MacOS Malware
MacOS isn't immune from malware. Being prepared means understanding the nature of the worst threats a security team is likely to see attacking Macs in the enterprise.
May 28, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt158a8837a149c68f/64f0d426671a881827fc4708/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
For years, Apple Macintosh users basked in a confident glow of invincibility. It was, as it turns out, the glow from a false light. MacOS is no less susceptible to malware than any other operating system, a situation made plain in recent reports on the state of cybersecurity.
In the "2020 State of Malware Report" published by MalwareBytes, researchers saw a 400% increase in MacOS malware from 2018 to 2019, bringing it to a point at which malware detections per endpoint for the Macintosh were more than double those of Windows.
At the same time, the types of malware most prevalent on the different platforms have significant differences. Windows malware is frequently aimed at capturing information or gaining control of enterprise networks and systems; the most common MacOS malware is intended to deliver unwanted advertisements to users or send them to a website they didn't intend to visit.
Even the language used to describe the threats to the platforms is different. Many of the pieces of malware for MacOS are described as PUPs -- potentially unwanted programs. That implies programs could be legitimate software for some users, but not everyone. These might be thought of as similar to the dozens of "utility" programs that have frequently come preinstalled on Windows computers. While some were useful for some users, many were, at best, unwanted clutter that soaked up valuable storage space.
If so much of the malware aimed against MacOS is intended for consumers, why should enterprise IT security teams care? Part of the reason is that consumers come to work and become employees. If their workstations contain unwanted software, then they can be distracted and their legitimate web activities hijacked to show them unwanted ads. Beyond the demand for employee attention, the programs and technologies that load this "adware" onto computers could conceivably be repurposed to deliver much more dangerous payloads in the future if those payloads were considered more profitable for the criminals than the current ad networks.
The rogues' gallery presented here includes the most common MacOS malware and some of the most dangerous. In each case, it's software loaded without the informed permission of the user and can be far more difficult to unload than to load. It is, in short, malware, no matter its specific designation.
(Image: WhataWin VIA Adobe Stock)
Shlayer doesn't make the list because it's incredibly sophisticated or breathtakingly dangerous. It makes the list because it's effective and prolific, hitting an estimated 10% of all Macs in 2019 and being responsible for nearly one-third of all intrusion attempts detected against the platform in the same year.
Shlayer is a downloader that masquerades as an installation tool for a supposedly necessary application update; Adobe Flash Player is a frequent alias for the malware. Once the button to begin the installation is clicked, Shlayer uses a variety of simple tactics to disguise system security warnings and trick users into giving the application permission to proceed.
Once on the victim's system, Shlayer has typically fetched a combination of adware programs that insert browser helpers and DNS redirection tools. It's important to note, though, that there's no technological reason Shlayer couldn't also be used to download far more destructive malware, especially since its ubiquity doesn't seem likely to diminish anytime soon.
NewTab is adware that loads itself as a browser extension that purports to be a tracker for flights or packages, but instead offers unwanted advertisements, changes the browser's home page, and changes the system default search engine.
As with other MacOS malware, user involvement is required for successful infection. In particular, browser helpers and other applications not downloaded from Apple's App Store require positive user confirmation before execution. Malware authors know this and provide pop-up overpays and rewritten display code to entice users to click on a button that promises safety while delivering chaos.
NewTab is primarily damaging to worker productivity, though the search engine redirect may have direct enterprise consequences in some application environments. In all cases, telling employees to let IT staff handle all upgrades and updates can help keep software like NewTab from gaining a foothold in the first place.
PCVARK is a company that develops and publishes a number of different PUPs. The adventure in getting these PUPs onto a particular Macintosh begins with users clicking on a link and downloading a loader that brings other pieces of software aboard. These will have various tricks to convince them to open them and then either go to websites they suggest or spend money on subscriptions they may or may not really want. One trick of PCVARK, though, is particularly sneaky and effective.
The support files surrounding every MacOS application always include a PLIST that sets, in plain text, various parameters for the application. One parameter is the type of file (.doc or .jpg, for example) that automatically opens with the application. PCVARK applications tend to have dozens or scores of file types listed, and that's the tricky part.
A PCVARK application won't become, say, the primary application for .docx files. What it will do, though, is open if users double-click on a file for which they don't have another application association. When the application opens, it's likely to look like a dialogue sending users to a website, and then they've become the latest victim of the scheme.
This one is interesting and shows just how important the "potentially unwanted" part of PUP can be. It's interesting because MacKeeper is legitimate software that many customers have willingly purchased as part of their Mac's security scheme. And it's interesting because some MacKeeper affiliates have wrapped the software's downloader in packaging that makes fake claims about nonexistent malware in order to frighten victims into becoming customers.
PUP.MacKeeper tends to show up when a user has visited a malicious website or clicked on a fraudulent link. In either case, a "warning" will pop up claiming that the victim's computer is infected with some horrifying (and quite possibly nonexistent) malware that must, this instant, be removed by downloading and purchasing MacKeeper.
The most recent owner of MacKeeper, Clario Tech Ltd., no longer engages in these shady distribution schemes. Since its ownership is new, though, careless users are still liable to run into fake MacKeeper sites. Careful Web hygiene and staying away from the less reputable corners of the Internet are the most reliable ways of preventing infection from MacKeeper and other rogue PUPs.
OS X.Generic.Suspicious is a family of adware downloaders that uses tactics similar to those already discussed to load a variety of PUPs and pure adware applications onto a victim's computer. In most cases, this adware uses a fake malware warning to convince the user that a piece of fake anti-malware software must be installed. Instead of protection, the victim installs a tangled rats nest of adware.
In the case of OS X.Generic.Suspicious, as with many other types of this software, the greatest expense comes in the time required to wipe it off of a victim's computer. These pieces of malware tend to scatter bits and pieces of themselves across the data storage landscape, modify startup parameters in multiple ways, and take advantage of the MacOS Unix-like history to install and protect themselves in ways that require a knowledgeable staff member launching a terminal window to clean.
Genieo is a browser hijacker that substitutes its own home page and search engine for those the user chose and uses the new options to deliver unwanted ads and additional PUPs. A hazard to Mac users for nearly a decade, OSX.Genieo is considered the parent of similar malware, including Only Search, MacShop Ads, and MacVX.
OSX.Genieo uses a variety of different techniques to make itself difficult to find and very difficult to fully remove from a system. The obfuscation techniques include polymorphic code obfuscation and purported uninstaller packages that actually install additional unwanted software.
While most instances of OSX.Genieo simply hijack a victim's browser, there have been scattered reports of more significant damage to a system, including computers rendered unbeatable when specific Genieo components were removed, passwords and user names encrypted and locked, and sensitive information exfiltrated from infected systems.
FakeFileOpener is just that: a piece of malware that includes hundreds of file types in the PLIST defining its relationships. When a file type with no other program associated is double-clicked by the user, FakeFileOpener springs into action, often offering a MacOS cleaner or optimizer to help solve problems the system probably doesn't have.
As with so many of these Mac malware programs, FakeFileOpener's ultimate game is to install adware and redirect the user to malicious websites and search engines. FakeFileOpener also shares removal difficulty and widely spread software components with its related applications in an attempt to remain resident for as long as possible and to be as hard to remove as can be arranged.
FakeFileOpener is just that: a piece of malware that includes hundreds of file types in the PLIST defining its relationships. When a file type with no other program associated is double-clicked by the user, FakeFileOpener springs into action, often offering a MacOS cleaner or optimizer to help solve problems the system probably doesn't have.
As with so many of these Mac malware programs, FakeFileOpener's ultimate game is to install adware and redirect the user to malicious websites and search engines. FakeFileOpener also shares removal difficulty and widely spread software components with its related applications in an attempt to remain resident for as long as possible and to be as hard to remove as can be arranged.
For years, Apple Macintosh users basked in a confident glow of invincibility. It was, as it turns out, the glow from a false light. MacOS is no less susceptible to malware than any other operating system, a situation made plain in recent reports on the state of cybersecurity.
In the "2020 State of Malware Report" published by MalwareBytes, researchers saw a 400% increase in MacOS malware from 2018 to 2019, bringing it to a point at which malware detections per endpoint for the Macintosh were more than double those of Windows.
At the same time, the types of malware most prevalent on the different platforms have significant differences. Windows malware is frequently aimed at capturing information or gaining control of enterprise networks and systems; the most common MacOS malware is intended to deliver unwanted advertisements to users or send them to a website they didn't intend to visit.
Even the language used to describe the threats to the platforms is different. Many of the pieces of malware for MacOS are described as PUPs -- potentially unwanted programs. That implies programs could be legitimate software for some users, but not everyone. These might be thought of as similar to the dozens of "utility" programs that have frequently come preinstalled on Windows computers. While some were useful for some users, many were, at best, unwanted clutter that soaked up valuable storage space.
If so much of the malware aimed against MacOS is intended for consumers, why should enterprise IT security teams care? Part of the reason is that consumers come to work and become employees. If their workstations contain unwanted software, then they can be distracted and their legitimate web activities hijacked to show them unwanted ads. Beyond the demand for employee attention, the programs and technologies that load this "adware" onto computers could conceivably be repurposed to deliver much more dangerous payloads in the future if those payloads were considered more profitable for the criminals than the current ad networks.
The rogues' gallery presented here includes the most common MacOS malware and some of the most dangerous. In each case, it's software loaded without the informed permission of the user and can be far more difficult to unload than to load. It is, in short, malware, no matter its specific designation.
(Image: WhataWin VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024