Popular Mac viruses, malware and security flaws
In this article, we will look at the most common Mac viruses and security flaws, how to detect them, prevent your Mac from getting them, and how to remove them.
The more macOS grows in popularity, the more lucrative it becomes to hackers and rogue programmers, and with no anti-virus, your MacBook is at risk of attack. Viruses on Mac are more common than you might imagine. We’re going to run through known Mac viruses, malware, and security flaws and show you how to keep your computer safe using CleanMyMac X.
Something to note before we continue: a virus is a type of malware, capable of copying itself and spreading across a system. Malware is a blanket term for a wide range of malicious software including adware, spyware, ransomware, and Trojans. So all viruses are malware, but not all malware are viruses if that makes sense?
Okay, let’s dig in.
How a Mac virus infects your system
How does a Mac virus find its way onto your system in the first place? Typically with a helping hand from you.
Apple viruses rely on you downloading a program, clicking a link, or installing an app or plugin.
The most common ways for malware to infiltrate your computer is through third-party browser plugins like Adobe Reader, Java, and Flash, or by using a Trojan horse or phishing scam — an app or email that appears to be from a legitimate source, but is in fact fraudulent. The moment you click on a link and enter details or download the seemingly genuine app, you give the green light for a virus to infect your system.
The best way to avoid a virus on Mac is to be vigilant. Double check every app that you want to download and every email that you receive before following through on an action. If something seems off, there’s every chance that it is.
However, as you’ll see from some of the viruses, in certain cases even vigilance can’t protect you.
Known Mac viruses
1. Microsoft Word macro viruses
What’s that, a Microsoft program bringing its virus-riddled programs over to Mac? Unfortunately, yes.
Macros are commonly used by Word users to automate repetitive tasks and they're a prime target for Malware peddlers. Macro support on Mac was removed by Apple with the release of Office for Mac back in 2008, but was reintroduced in 2011 meaning files opened with macros enabled could run a Python code to log keystrokes and take screenshots of personal data.
In 2017, Malwarebytes discovered malware in a Word document about Donald Trump to the worry of Mac users. However, the chances of being infected rely on you opened that specific file, which is slim.
A warning message that Apple displays anytime a file contains macros should be enough to keep you safe from Word macro viruses.
Safari-get is a denial-of-service (DoS) attack that began targeting Mac in 2016. The malware is hidden behind a link in a seemingly genuine tech support email — you click on the link, the malware makes itself at home on your computer.
What happens then depends on whether you’re running macOS 10 or 11. The first variant takes control of the mail application to force create multiple draft emails. The second force opens iTunes multiple times. The end goal for both is the same: overload system memory to bring your Mac to its knees so that you call up a fake Apple tech support number and hand over your credit card details to a bogus team on the other end of the line.
MacOS High Sierra versions 10.12.2 and above include a patch for this vulnerability, so updating your machine should keep you safe.
OSX/Pirrit is a virus that is able to gain root privileges to take it upon itself to create a new account and download software that you neither want nor need. The virus was found by Cybereason to be hidden in cracked versions of Adobe Photoshop and Microsoft Office that are popular on torrent sites.
A stark reminder, if ever you needed one, to never download pirated software!
Known Mac malware
OSX/MaMi holds the distinction of being the first macOS malware of 2018. It targets Mac users with social engineering methods such as malicious emails and website pop-ups. Once it’s made its way onto a system, the malware changes DNS server settings so that attackers can route traffic through malicious servers and intercept any sensitive data. MaMi is also capable of taking screenshots, downloading and uploading files, executing commands, and generating mouse events.
The Hacker News provides instructions on how to identify the virus on your system:
“To check if your Mac computer is infected with MaMi malware, go to the Terminal via the System Preferences app and check for your DNS settings—particularly look for 188.8.131.52 and 184.108.40.206.”
This piece of Malware is a worrying one in that it is signed with an Apple-authenticated developer certificate, thus allowing it to bypass Mac’s Gatekeeper security feature and XProtect. Like OSX/MaMi, OSX/Dok intercepts all traffic (including traffic on SSL-TLS encrypted websites) moving between your computer and the internet to steal private information.
Since it arrived on the scene in April 2017, Apple has revoked the developer certificate and updated XProtect, however, it remains one to look out for.
Fruitfly malware has stolen millions of user images, personal data, tax records and “potentially embarrassing communications over a 13 year period by capturing screenshots and webcam images. Researchers are unsure how the near-undetectable “creepware” finds its way on to Mac systems and while Apple has been working to patch the issue, it’s unknown if newer versions still exist in the wild.
X-agent is classic malware capable of stealing your passwords and iPhone backups and taking screenshots of sensitive data. It has mainly targeted members of the Ukrainian military, which is very bad, of course, but if you're not a member of Ukrainian military you’re unlikely to be affected.
While its name suggests it could be a useful app, MacDownloader is a very nasty piece of malware programmed to attack the US defense industry. It’s hidden inside a fake Adobe Flash update and shows a pop-up claiming your system is infected with adware. By clicking on the alert and entering your admin password, MacDownloader lifts sensitive data, including passwords and credit card details, and sends it to a remote server.
MacDownloader is designed to attack a particular audience, but it’s worth checking for updates on Adobe’s official website before installing any new version of Flash.
KeRanger is macOS’s first introduction to ransomware — malware that encrypts system files and demands a ransom to decrypt them. It was bundled in with the torrent client Transmission version 2.90 and installed at the same time, using a valid Mac app certificate to sneak through Apple security. Once document and data files are encrypted, KeRanger demands payment in bitcoin for the malware to be removed.
Transmission has released an update to remove the malware and Apple has removed KeRanger’s GateKeeper signature to protect users. If you’re using Transmission 2.90, head over to the Transmission website to download the latest update.
Known Mac security flaws
1. Goto fail bug
The Goto fail bug was a bit of an embarrassing one for Apple in that the security flaw was as a result of its own doing. A bug in Apple’s SSL (Secure Sockets Layer) encryption meant that a Goto command was left unclosed in the code, thus preventing SSL from doing its job to protect users of secure websites. The flaw put communications sent over unsecured Wi-Fi (the hotspots you use at the mall and in coffee shops) at risk, allowing hackers to intercept passwords, credit card details, and other sensitive information.
Apple has since patched the issue on macOS, but it certainly makes you think twice about how you browse the web on your MacBook in a public place.
2. Meltdown and Spectre
In January 2018, it was announced that there was a flaw in Intel chips used in Macs, giving rise to the dastardly duo of Meltdown and Spectre.
The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device.
Meltdown and Spectre affects all Mac systems, but Apple insists there are no known exploits currently impacting customers. macOS 10.13.2 and above includes a patch to protect against both flaws.
3. High Sierra “root” bug
As far as security flaws go, High Sierra’s “root” bug is a pretty big one. The flaw, which was discovered by software developer Lemi Orhan Ergin, allowed anyone to gain root access to a system by leaving the password field blank and trying multiple times in a row. So, anyone with physical access to your system, or access via remote desktop or screen-sharing, could type in “root” and hit enter a few times to gain full control of your Mac. Scary thought, huh?
Apple has recently released an official fix for the flaw, but it’s worth taking care about who shares access privileges on your Mac.
How to recognize a virus on Mac
So how do you spot a virus on your MacBook Pro or iMac? In the case of ransomware like KeRanger or a DoS attack like Safari-get, the issue is in your face. With other malware, however, the infection is less obvious.
A few of the tell-tale signs include:
- Unexpected system reboots
- Apps closing and restarting for no reason
- Browsers automatically installing suspicious updates
- Web pages obscured with ads
- Drop in system performance
How to avoid a virus on Mac
We briefly covered this at the top of the article, but there are measures you can take to help safeguard your system:
- Always check the source of an email by looking at the address of the sender
- Avoid pirated software
- Avoid software and media downloads from torrent clients
- Avoid apps or pop-ups that ask you to “fix” an infected Mac
- Never download codecs or plug-ins from unknown websites
- How to remove a virus on Mac
If you suspect a Mac virus has infected your system, it’s important to address the problem immediately. There are two ways that you can do this: manually or with CleanMyMac X.
How to remove a virus on Mac manually
To remove a virus manually, the first thing to do is find out what’s causing the problem.
The chances are it could be a downloaded file, so go to your Downloads folder and search for .DMG files. If the file is unfamiliar, delete it and empty the Trash.
If an app is the issue, go to your Applications, drag the icon of the culprit to the Trash bin and empty the Trash immediately.
Both of these methods offer a quick fix, but neither is the most comprehensive of solutions. The way in which viruses work means that the infection could have spread to system folders. If the problem persists, opt for the more robust CleanMyMac 3.
How to remove malware on Mac with CleanMyMac X
CleanMyMac X is designed to detect and remove malware threats from your Mac, including adware, spyware, ransomware, worms, and more.
If malware is lurking within your Mac, it won’t be after CleanMyMac is done with it.
- Download CleanMyMac X (free download) and launch the app.
- Click on the Malware Removal tab.
- Click Scan.
- Click Remove.
CleanMyMac X will remove all malicious files and apps sending the malware into oblivion.
Keep your Mac virus-free
For the most part, using a Mac is a pleasant, malware-free experience, but no computer is ever 100% virus-free. Keeping abreast of known Mac viruses so that you know what to look for and airing on the side of caution when downloading software will help keep your system running smoothly. And if a rogue app does make its way on your system, keep CleanMyMac X close to hand to remove it immediately and completely.