MacDefender is a malware scam that poses as a virus alert. However, it’s a fake virus alert intended to prompt the user to download malware to their Mac. When it was first discovered, it was reported widely, as it was the first time malware had posed a real threat to Mac users. And it took Apple several weeks to issue an update to remove it.

What is MacDefender?

MacDefender was first discovered in 2011 and was described as the first major malware threat to Mac devices. However, MacDefender, also known as Mac Guard, didn’t do any actual damage itself. Instead, it posed as a virus scanner that appeared when a user clicked on an image in Google Image Search.

The false virus scanner poisoned search results with malware posing as images. Once the virus scanner had “finished scanning,” it told the user that their computer was infected, and the only way to remove the virus was to pay between $59.95 and $79.95 for a tool called MacDefender.

There was no such tool; the whole thing was a scam designed to extort money and steal personal and financial data. After several weeks, Apple eventually provided a patch to automatically find and remove MacDefender.

What damage does it do?

MacDefender’s main objective is to steal credit card data and persuade you to pay for a non-existent antivirus program. So, it doesn’t do any damage to your Mac as such. However, you should still try to avoid it and remove it immediately if you spot it.

How does MacDefender infect Macs?

Even though Apple provided a patch to find and remove MacDefender, it’s possible that it’s still out there. Thus, it’s important to know how MacDefender malware infects Macs.

MacDefender is a kind of trap that mimics legitimate pop-up windows, posing as malware alerts and virus scans. It usually manifests on dangerous websites with ads.

Through these fake malware alerts, MacDefender attempts to convince users that their Mac is infected with viruses. The antivirus solution that’s offered is, ironically, actually malware. If the user is fooled into downloading the “antivirus,” they’re asked to pay as much as $80 to “activate the software.”

Once the malware is on the target device, it gets to work as a browser hijacker, redirecting you to websites that the attacker wants you to go to. It will also cause you to see more ads with more malware.

Finally, the attackers will steal your personal data and files and move them to their own third-party server.

Common symptoms of MacDefender malware on your Mac

There are some common ways to see if your Mac has a MacDefender infection.

Pop-up virus scans

The biggest giveaway that MacDefender is on your Mac is when pop-up windows appear telling you you have a virus on your computer.

The attackers behind this threat try to lower your defenses by making these pop-ups look and feel like the kind of macOS alerts you see on a daily basis. But you should be very suspicious if you see pop-ups with virus claims. macOS would never do this.

The pop-ups won’t take no for an answer

Another tell-tale sign is when pop-ups won’t go away and keep coming back to pester you, especially right after you close them.

You might expect persistence from legitimate antivirus platforms, but legitimate platforms will not use alarming or passive-aggressive language to strong-arm you into downloading their product right away.

Your Mac will grind to a halt

Malware of all descriptions needs CPU power to work. Once malware sets up shop on your device, various scripts can drain nearly all of your CPU and battery power to power activities and exfiltrate your data.

This massive allocation of CPU means that legitimate system processes, including your internet speed, will slow down.

Your browser starts acting funny

Another part of the system that will be affected is your browser. MacDefender is partly a browser hijacker, so it will change various aspects of your browser, such as your homepage, default search engine, startup behavior, and security settings. It can also redirect your normal browsing activities to malware-infected websites that are under their control.

MacDefender invites more malware to the party

MacDefender may lead to additional forms of malware infecting your machine. You may usually find these apps in your Applications folder with low-quality icons and odd, nonsensical names.

They want you to pay

At the end of the day, cyber attackers want to be paid. It’s the only reason they do what they do (except for those who also enjoy the chaos element of it).

If a pop-up window demands payment for something, it is most likely a scam or malware. Don’t pay!

How to avoid MacDefender

The first step is, like with any malware, to be careful what you click on the web. This is more difficult with MacDefender because it places images in Google Image Search, and so they look legitimate.

If you click on an image and see the notification or a window that looks like a fake virus scan, close your browser window immediately. If necessary, Force Quit it.

It’s possible that MacDefender may start downloading itself to your Mac without you doing anything. In that case, open the Downloads window and cancel the download.

How to remove MacDefender malware: The manual way

If MacDefender installs itself before you get a chance to stop it, do the following:

  1. Launch Activity Monitor from Applications > Utilities.
  2. In the list of processes, search for MacDefender, MacSecurity, or MacProtector.
  3. If you find a process with any of those names, use the “x” in the toolbar to quit the process.
  4. Quit Activity Monitor.
  5. Search your Applications folder for applications with any of those names and if you find one, drag it to the Trash.

MacDefender also installs a Login Item. To delete that, click on the Apple menu and launch System Preferences:

  1. Choose Users & Groups.
  2. Select your user.
  3. Click on Login Items.
  4. Press the “-” next to MacDefender.

How to remove MacDefender: The easy way

There is another way to get rid of MacDefender. CleanMyMac has a malware utility that recognizes MacDefender and can remove every trace of it at the click of a button. It starts by scanning your Mac for malware, and so the app will also report on and remove any other malware it finds on your Mac.

  1. Download CleanMyMac.
  2. Launch the app.
  3. Choose the Protection tab.
  4. Click Scan.
  5. Click Remove. 

What to do if you entered credit card details

Call your credit card company and tell them what’s happened. Give them all the details of where and when it happened. They will cancel your card, so the hackers won’t be able to use the details they stole from you for further transactions.

You should also use the steps described above to remove MacDefender from your Mac.

It’s now a decade since MacDefender was discovered and since Apple updated macOS to remove it. So, there should be little risk of you encountering it. However, if you do come across it or any other fake virus alert, the best thing to do is ignore it and restart your browser if necessary. Don’t ever hand over your credit card details.

If you think you may have downloaded MacDefender, there are a couple of ways to remove it, as described above, including using the malware utility in CleanMyMac.