Thursday, February 13, 2020 [Tweets] [Favorites]

2020 State of Mac Malware

Malwarebytes Labs:

Mac threats increased exponentially in comparison to those against Windows PCs. While overall volume of Mac threats increased year-over-year by more than 400 percent, that number is somewhat impacted by a larger Malwarebytes for Mac userbase in 2019. However, when calculated in threats per endpoint, Macs still outpaced Windows by nearly 2:1.

Emphasis added. This sounds really bad at first, like the number of Mac threats is growing in proportion to the (larger) number of Windows threats. But I guess they are just using the non-technical meaning of “exponential,” so the whole thing boils down to “more than.”

The full PDF report:

Of all the threats seen this year, only one incident involved anything other than tricking the user into downloading and opening something they shouldn’t. That is the incident in which Coinbase, and several other cryptocurrency companies, were targeted with malware that infected systems through a Firefox zero-day vulnerability. Affected systems were infected with the older Wirenet and Mokes malware. This was the first time such a vulnerability had been used to infect Macs in any significant way since 2012, when Java vulnerabilities were used repeatedly to infect Macs (until Apple ripped Java out of the system, ending the threats). Beyond that what we saw was a virtual landslide of adware and PUP detections, far outpacing growth on the Windows side. While these threats are not considered as dangerous as traditional malware[…]


We define “traditional malware” as malicious software such as backdoors, Trojans, and spyware.


Among the top 10 Mac threats (for both consumers and businesses) are a mix of PUPs and adware. The PUPs are a variety of mostly “cleaning” apps that have been determined as unwanted[…]

So the words “threat” and “malware” also have unexpected definitions that include potentially unwanted apps and adware.

Sara Morrison:

The amount of malware on Macs is outpacing PCs for the first time ever, and your complacency could be your worst enemy.

“People need to understand that they’re not safe just because they’re using a Mac,” Thomas Reed, Malwarebytes’ director of Mac and mobile and contributor to the report, told Recode.


“There is a rising tide of Mac threats hitting a population that still believes that ‘Macs don’t get viruses,’” Reed said. “I still frequently encounter people who firmly believe this, and who believe that using any kind of security software is not necessary, or even harmful. This makes macOS a fertile ground for the influx of new threats, whereas it’s common knowledge that Windows PCs need security software.”

This sounds unnecessarily alarmist compared with the contents of the report, and I remain convinced that for most users Apple’s built-in security measure are sufficient. I’ve seen far more Mac problems caused by anti-virus software than actual viruses.

Ben Lovejoy:

Third, and most crucially of all, Mac malware is not a virus. These are not apps that can spread from machine to machine, installing themselves. macOS doesn’t allow unsigned apps to be installed without user permission.


Update (2020-02-14): Apple:

Apple is committed to providing great experiences that respect customer privacy and security. When joining the Apple Developer Program and accepting the Program License Agreement, developers agree to ensure that their software is safe and secure for their users. They also agree to cooperate with Apple systems, such as the notary service, designed to help protect users from malware (e.g., viruses, trojan horses, backdoors, ransomware, spyware) or malicious, suspicious, or harmful code or components when distributing Developer ID–signed Mac software outside the Mac App Store. The examples below are provided to help clarify some of the behavior that is not permitted for Mac software distributed in this way.

Via Jason Snell:

It seems that many of the items in Malwarebytes’ report have gotten the hammer from Apple and are no longer actively circulating. The report’s long list of Mac software is an alert that the Mac is now a much more enticing target for makers of adware and other scam software. It certainly can’t be a coincidence that Apple is stepping up enforcement of its policies at the same time that the number of these sleazy apps is increasing.


It’s valid to wonder if the Mac’s reputation for being a safe harbor leads some Mac users to make bad security choices. But “Macs don’t get viruses” is a statement that is still overwhelmingly true. Even if it makes it awfully hard to sell Mac anti-malware software.

Update (2020-02-17): Nick Heer:

So the chance of experiencing malware — not adware or what Malwarebytes calls “potentially unwanted programs”, but malware — on a Mac actually fell in 2019, according to this report.

Michael Nordmeyer:

Cleanfox and are still being featured on the iOS app store in a “Declutter Your Digital Life” story

Thomas Reed:

“Macs don’t get viruses” is a statement that is still overwhelmingly true.

I see so many people getting infected because they believe this...

Also, keep in mind that adware and PUPs are not harmless. They engage in scams, intercept network traffic, exfiltrate sensitive user data (like browser history), and open all kinds of security holes that could be taken advantage of by more malicious software.

Jason Snell:

As I wrote, “It’s valid to wonder if the Mac’s reputation for being a safe harbor leads some Mac users to make bad security choices.”

That said, I do think you and your employer are stoking fear and that Malwarebytes benefits from that fear. I’m not surprised you take exception.

Apple has multiple methods of stopping bad actors and has stepped up its game in recent months. This third party stuff is almost worthless unless you are making some very bad decisions


Really, the landscape hasn’t changed that much, most of what Apple is doing now is either for snake oil or control (“Notarization”, ugh). It’s still just mostly PUPs and AdWare unless you go looking for threats (hello users who want an illegal copy of Photoshop).

You can’t apply Windows security models to Mac, but evidently Tim Cook just needed to poach from MCSEs from REDACTED instead of security analysts who understand Linux/UNIX threat models and how to corral enduser “creativity.”

Bah nm I’m staying retired (use BlockBlock, Little Snitch, GasMask + strong hostfile & optionally AdGuard no bah retired)

“I remain convinced that for most users Apple’s built-in security measure are sufficient” - I'm not sure I entirely agree with that. On several occasions I have had to run Malwarebytes on my parents computer and friend‘s computers to remove a bunch of random adware extensions that have gotten in to their web browsers.

I think more accurately would be, “for most proficient users Apple’s built-in security measure are sufficient”. But for less experienced users (kids, non-technical people, casual users, etc), getting infected with some sort of adware browser extensions is not all that uncommon.

Thankfully running the free version of Malwarebytes periodically seems to be all that is required, and no real harm has been done to these people, but it is certainly a very small step from an adware browser extension to stealing your online banking passwords.

Sören Nils Kuklau

> You can’t apply Windows security models to Mac

I fail to see why not.

The differences between NT and Unix are overblown. They do exist, and lead to some respective quirks (for instance, it's non-trivial in Windows to elevate a process without starting a whole new context, whereas sudo is a rather simple design in Unix), but both have some convergent evolution to many of the same principles (such as having ACLs).

[…] all, isn’t malware for Mac on the rise? Well, it is. But we need to remember one important thing here: All software viruses are malware, […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment