Archive for February 13, 2020

Thursday, February 13, 2020

How Important Our Phones Are

John Gruber:

Yes, phones that cost $1,000 or more are expensive. Yes, that’s outside the budget for most people. But why in the world would anyone argue this is ”hard to justify”? Phones are, for most people, the most-used computing device in their lives.


There are way more people on the planet who’d rather have a $1,400 phone and a $400 laptop than the other way around.

Phones are too important to be limited to software approved and sold by their platform vendor.

macOS 10.15.3 Update Doesn’t Create APFS Snapshot

Mr. Macintosh:

Something happened in the latest set of Apple updates released on January 28th. The Automatic Backup Snapshots are no longer working!!! At first, I thought it only happened on the 10.15.3 Combo update. I then checked the 2020-001 Security Update on High Sierra and it’s not working either!

I found this out while I was writing another article on Catalina Logs. I built a 10.15.2 device and updated it to 10.15.3. I booted to recovery to restore the from the automatic snapshot only to find that it was missing!


I am not totally sure what’s going on here, if I had to guess this a bug. I wanted to let you know about this. The last thing you want to do is rely on that automatic backup snapshot only to find out it was never created.

Plus, the installer apparently purges any snapshots that you made manually.


2020 State of Mac Malware

Malwarebytes Labs:

Mac threats increased exponentially in comparison to those against Windows PCs. While overall volume of Mac threats increased year-over-year by more than 400 percent, that number is somewhat impacted by a larger Malwarebytes for Mac userbase in 2019. However, when calculated in threats per endpoint, Macs still outpaced Windows by nearly 2:1.

Emphasis added. This sounds really bad at first, like the number of Mac threats is growing in proportion to the (larger) number of Windows threats. But I guess they are just using the non-technical meaning of “exponential,” so the whole thing boils down to “more than.”

The full PDF report:

Of all the threats seen this year, only one incident involved anything other than tricking the user into downloading and opening something they shouldn’t. That is the incident in which Coinbase, and several other cryptocurrency companies, were targeted with malware that infected systems through a Firefox zero-day vulnerability. Affected systems were infected with the older Wirenet and Mokes malware. This was the first time such a vulnerability had been used to infect Macs in any significant way since 2012, when Java vulnerabilities were used repeatedly to infect Macs (until Apple ripped Java out of the system, ending the threats). Beyond that what we saw was a virtual landslide of adware and PUP detections, far outpacing growth on the Windows side. While these threats are not considered as dangerous as traditional malware[…]


We define “traditional malware” as malicious software such as backdoors, Trojans, and spyware.


Among the top 10 Mac threats (for both consumers and businesses) are a mix of PUPs and adware. The PUPs are a variety of mostly “cleaning” apps that have been determined as unwanted[…]

So the words “threat” and “malware” also have unexpected definitions that include potentially unwanted apps and adware.

Sara Morrison:

The amount of malware on Macs is outpacing PCs for the first time ever, and your complacency could be your worst enemy.

“People need to understand that they’re not safe just because they’re using a Mac,” Thomas Reed, Malwarebytes’ director of Mac and mobile and contributor to the report, told Recode.


“There is a rising tide of Mac threats hitting a population that still believes that ‘Macs don’t get viruses,’” Reed said. “I still frequently encounter people who firmly believe this, and who believe that using any kind of security software is not necessary, or even harmful. This makes macOS a fertile ground for the influx of new threats, whereas it’s common knowledge that Windows PCs need security software.”

This sounds unnecessarily alarmist compared with the contents of the report, and I remain convinced that for most users Apple’s built-in security measures are sufficient. I’ve seen far more Mac problems caused by anti-virus software than actual viruses.

Ben Lovejoy:

Third, and most crucially of all, Mac malware is not a virus. These are not apps that can spread from machine to machine, installing themselves. macOS doesn’t allow unsigned apps to be installed without user permission.


Update (2020-02-14): Apple:

Apple is committed to providing great experiences that respect customer privacy and security. When joining the Apple Developer Program and accepting the Program License Agreement, developers agree to ensure that their software is safe and secure for their users. They also agree to cooperate with Apple systems, such as the notary service, designed to help protect users from malware (e.g., viruses, trojan horses, backdoors, ransomware, spyware) or malicious, suspicious, or harmful code or components when distributing Developer ID–signed Mac software outside the Mac App Store. The examples below are provided to help clarify some of the behavior that is not permitted for Mac software distributed in this way.

Via Jason Snell:

It seems that many of the items in Malwarebytes’ report have gotten the hammer from Apple and are no longer actively circulating. The report’s long list of Mac software is an alert that the Mac is now a much more enticing target for makers of adware and other scam software. It certainly can’t be a coincidence that Apple is stepping up enforcement of its policies at the same time that the number of these sleazy apps is increasing.


It’s valid to wonder if the Mac’s reputation for being a safe harbor leads some Mac users to make bad security choices. But “Macs don’t get viruses” is a statement that is still overwhelmingly true. Even if it makes it awfully hard to sell Mac anti-malware software.

Update (2020-02-17): Nick Heer:

So the chance of experiencing malware — not adware or what Malwarebytes calls “potentially unwanted programs”, but malware — on a Mac actually fell in 2019, according to this report.

Michael Nordmeyer:

Cleanfox and are still being featured on the iOS app store in a “Declutter Your Digital Life” story

Thomas Reed:

“Macs don’t get viruses” is a statement that is still overwhelmingly true.

I see so many people getting infected because they believe this...

Also, keep in mind that adware and PUPs are not harmless. They engage in scams, intercept network traffic, exfiltrate sensitive user data (like browser history), and open all kinds of security holes that could be taken advantage of by more malicious software.

Jason Snell:

As I wrote, “It’s valid to wonder if the Mac’s reputation for being a safe harbor leads some Mac users to make bad security choices.”

That said, I do think you and your employer are stoking fear and that Malwarebytes benefits from that fear. I’m not surprised you take exception.

Apple has multiple methods of stopping bad actors and has stepped up its game in recent months. This third party stuff is almost worthless unless you are making some very bad decisions

Update (2020-02-22): Matt Deatherage:

“Corresponding” in this context means “we saw five times as many things we considered threats in 2019, but we also had five times as many copies of our software running.” Similarly, there is no real way for readers to know if detecting more malware per “endpoint” (a single computer running Malwarebytes for Mac) means that there was more malware out there, or if Malwarebytes just got better at detecting it.

Or maybe it just aggressively blocked more programs. Installing antivirus software means substituting the vendor’s judgment for your own. For example, Malwarebytes says the fourth-most detected item on Macs was the “potentially unwanted program,” or PUP, called “JDI.” That’s the name the company gives to a few launch daemons belonging to TotalAV—an antivirus vendor and competitor to Malwarebytes.

There’s a lot in the report that doesn’t quite add up when examined.

Patrick Wardle:

Well that’s a wrap! Thanks for joining our “journey” as we wandered through the macOS malware of 2019.

Looking forward, maybe we’ll see a drop in malware affecting the latest version of macOS (Catalina), due to its stringent notarization requirements …though word on the street is it’s already bypassed[…]

John Gruber (tweet):

Dan Goodin had a piece at Ars Technica last month about the scourge of fake Adobe Flash installers — which work because unsophisticated Mac users had been truthfully told they needed to upgrade their version of Flash for a decade. It’s a real problem — but third-party antivirus software is not the answer.

See also: Accidental Tech Podcast.

Update (2020-02-28): Thomas Reed (tweet):

However, adware and PUPs can actually be far more invasive and dangerous on the Mac than “real” malware. They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.

To demonstrate our meaning, what follows is a detailed analysis of what may be the most sophisticated threat on macOS—called Crossrider—a threat that is “just adware.”

Be careful when entering your admin password, and run Little Snitch.

Update (2020-03-06): Howard Oakley:

One very good reason for a user choosing to pay for third-party protection is the lack of information provided about what Apple’s tools do. When it comes to security, bland assurances of protection are now worthless to those Mac users who take security seriously. We’re long past the day when a verbal pat on the back is sufficient. Who should you trust more: the third-party vendor whose articles explain which PUPs and malware their product detects and removes, or Apple’s generic statements about detecting “known malware”? And what does macOS do about PUPs?

Equally, third-party vendors of security products do try to scare users into becoming customers. I don’t know of an industry sector which doesn’t, to some extent, oversell its products.

BlueMail Back in Mac App Store

Joe Rossignol:

Last week, after months of making little to no progress with Apple towards having its Mac app reinstated, BlueMail co-founders Ben Volach and Dan Volach penned an open letter to the developer community that encouraged any developers who feel that Apple has kicked them out of the App Store or otherwise treated them unfairly to reach out to them and share their stories.

Just days later, the BlueMail app has returned to the Mac App Store. In a press release, BlueMail parent company Blix said it has no intention of dropping its legal case against Apple, which it believes extends beyond the removal of BlueMail on the Mac App Store to the “suppression of its iOS app and the infringement of Blix’s patented technology through ‘Sign in with Apple.’”

Joe Rossignol:

In a statement last week, shared with MacRumors, Apple said it “attempted on multiple occasions to assist them in getting their BlueMail app back on the Mac App Store,” but said “they have refused our help.” Apple added that BlueMail was “proposing to override basic data security protections which can expose users’ computers to malware that can harm their Macs and threaten their privacy.”


Specifically, Apple says its Developer Technical Support team advised the BlueMail team to make changes to how it packages its Mac app in order to resolve a security and privacy warnings issue related to the app creating a new binary with a bundle ID that changes on each launch.

Of course, it’s perfectly normal for an e-mail client to run up against section 3.3.2. So, if I understand this correctly, they made a sketchy app and refused to fix the obvious problem because they wanted to do a PR stunt?