Thursday, February 13, 2020

2020 State of Mac Malware

Malwarebytes Labs:

Mac threats increased exponentially in comparison to those against Windows PCs. While overall volume of Mac threats increased year-over-year by more than 400 percent, that number is somewhat impacted by a larger Malwarebytes for Mac userbase in 2019. However, when calculated in threats per endpoint, Macs still outpaced Windows by nearly 2:1.

Emphasis added. This sounds really bad at first, like the number of Mac threats is growing in proportion to the (larger) number of Windows threats. But I guess they are just using the non-technical meaning of “exponential,” so the whole thing boils down to “more than.”

The full PDF report:

Of all the threats seen this year, only one incident involved anything other than tricking the user into downloading and opening something they shouldn’t. That is the incident in which Coinbase, and several other cryptocurrency companies, were targeted with malware that infected systems through a Firefox zero-day vulnerability. Affected systems were infected with the older Wirenet and Mokes malware. This was the first time such a vulnerability had been used to infect Macs in any significant way since 2012, when Java vulnerabilities were used repeatedly to infect Macs (until Apple ripped Java out of the system, ending the threats). Beyond that what we saw was a virtual landslide of adware and PUP detections, far outpacing growth on the Windows side. While these threats are not considered as dangerous as traditional malware[…]


We define “traditional malware” as malicious software such as backdoors, Trojans, and spyware.


Among the top 10 Mac threats (for both consumers and businesses) are a mix of PUPs and adware. The PUPs are a variety of mostly “cleaning” apps that have been determined as unwanted[…]

So the words “threat” and “malware” also have unexpected definitions that include potentially unwanted apps and adware.

Sara Morrison:

The amount of malware on Macs is outpacing PCs for the first time ever, and your complacency could be your worst enemy.

“People need to understand that they’re not safe just because they’re using a Mac,” Thomas Reed, Malwarebytes’ director of Mac and mobile and contributor to the report, told Recode.


“There is a rising tide of Mac threats hitting a population that still believes that ‘Macs don’t get viruses,’” Reed said. “I still frequently encounter people who firmly believe this, and who believe that using any kind of security software is not necessary, or even harmful. This makes macOS a fertile ground for the influx of new threats, whereas it’s common knowledge that Windows PCs need security software.”

This sounds unnecessarily alarmist compared with the contents of the report, and I remain convinced that for most users Apple’s built-in security measures are sufficient. I’ve seen far more Mac problems caused by anti-virus software than actual viruses.

Ben Lovejoy:

Third, and most crucially of all, Mac malware is not a virus. These are not apps that can spread from machine to machine, installing themselves. macOS doesn’t allow unsigned apps to be installed without user permission.


Update (2020-02-14): Apple:

Apple is committed to providing great experiences that respect customer privacy and security. When joining the Apple Developer Program and accepting the Program License Agreement, developers agree to ensure that their software is safe and secure for their users. They also agree to cooperate with Apple systems, such as the notary service, designed to help protect users from malware (e.g., viruses, trojan horses, backdoors, ransomware, spyware) or malicious, suspicious, or harmful code or components when distributing Developer ID–signed Mac software outside the Mac App Store. The examples below are provided to help clarify some of the behavior that is not permitted for Mac software distributed in this way.

Via Jason Snell:

It seems that many of the items in Malwarebytes’ report have gotten the hammer from Apple and are no longer actively circulating. The report’s long list of Mac software is an alert that the Mac is now a much more enticing target for makers of adware and other scam software. It certainly can’t be a coincidence that Apple is stepping up enforcement of its policies at the same time that the number of these sleazy apps is increasing.


It’s valid to wonder if the Mac’s reputation for being a safe harbor leads some Mac users to make bad security choices. But “Macs don’t get viruses” is a statement that is still overwhelmingly true. Even if it makes it awfully hard to sell Mac anti-malware software.

Update (2020-02-17): Nick Heer:

So the chance of experiencing malware — not adware or what Malwarebytes calls “potentially unwanted programs”, but malware — on a Mac actually fell in 2019, according to this report.

Michael Nordmeyer:

Cleanfox and are still being featured on the iOS app store in a “Declutter Your Digital Life” story

Thomas Reed:

“Macs don’t get viruses” is a statement that is still overwhelmingly true.

I see so many people getting infected because they believe this...

Also, keep in mind that adware and PUPs are not harmless. They engage in scams, intercept network traffic, exfiltrate sensitive user data (like browser history), and open all kinds of security holes that could be taken advantage of by more malicious software.

Jason Snell:

As I wrote, “It’s valid to wonder if the Mac’s reputation for being a safe harbor leads some Mac users to make bad security choices.”

That said, I do think you and your employer are stoking fear and that Malwarebytes benefits from that fear. I’m not surprised you take exception.

Apple has multiple methods of stopping bad actors and has stepped up its game in recent months. This third party stuff is almost worthless unless you are making some very bad decisions

Update (2020-02-22): Matt Deatherage:

“Corresponding” in this context means “we saw five times as many things we considered threats in 2019, but we also had five times as many copies of our software running.” Similarly, there is no real way for readers to know if detecting more malware per “endpoint” (a single computer running Malwarebytes for Mac) means that there was more malware out there, or if Malwarebytes just got better at detecting it.

Or maybe it just aggressively blocked more programs. Installing antivirus software means substituting the vendor’s judgment for your own. For example, Malwarebytes says the fourth-most detected item on Macs was the “potentially unwanted program,” or PUP, called “JDI.” That’s the name the company gives to a few launch daemons belonging to TotalAV—an antivirus vendor and competitor to Malwarebytes.

There’s a lot in the report that doesn’t quite add up when examined.

Patrick Wardle:

Well that’s a wrap! Thanks for joining our “journey” as we wandered through the macOS malware of 2019.

Looking forward, maybe we’ll see a drop in malware affecting the latest version of macOS (Catalina), due to its stringent notarization requirements …though word on the street is it’s already bypassed[…]

John Gruber (tweet):

Dan Goodin had a piece at Ars Technica last month about the scourge of fake Adobe Flash installers — which work because unsophisticated Mac users had been truthfully told they needed to upgrade their version of Flash for a decade. It’s a real problem — but third-party antivirus software is not the answer.

See also: Accidental Tech Podcast.

Update (2020-02-28): Thomas Reed (tweet):

However, adware and PUPs can actually be far more invasive and dangerous on the Mac than “real” malware. They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.

To demonstrate our meaning, what follows is a detailed analysis of what may be the most sophisticated threat on macOS—called Crossrider—a threat that is “just adware.”

Be careful when entering your admin password, and run Little Snitch.

Update (2020-03-06): Howard Oakley:

One very good reason for a user choosing to pay for third-party protection is the lack of information provided about what Apple’s tools do. When it comes to security, bland assurances of protection are now worthless to those Mac users who take security seriously. We’re long past the day when a verbal pat on the back is sufficient. Who should you trust more: the third-party vendor whose articles explain which PUPs and malware their product detects and removes, or Apple’s generic statements about detecting “known malware”? And what does macOS do about PUPs?

Equally, third-party vendors of security products do try to scare users into becoming customers. I don’t know of an industry sector which doesn’t, to some extent, oversell its products.

7 Comments RSS · Twitter

Really, the landscape hasn’t changed that much, most of what Apple is doing now is either for snake oil or control (“Notarization”, ugh). It’s still just mostly PUPs and AdWare unless you go looking for threats (hello users who want an illegal copy of Photoshop).

You can’t apply Windows security models to Mac, but evidently Tim Cook just needed to poach from MCSEs from REDACTED instead of security analysts who understand Linux/UNIX threat models and how to corral enduser “creativity.”

Bah nm I’m staying retired (use BlockBlock, Little Snitch, GasMask + strong hostfile & optionally AdGuard no bah retired)

“I remain convinced that for most users Apple’s built-in security measure are sufficient” - I'm not sure I entirely agree with that. On several occasions I have had to run Malwarebytes on my parents computer and friend‘s computers to remove a bunch of random adware extensions that have gotten in to their web browsers.

I think more accurately would be, “for most proficient users Apple’s built-in security measure are sufficient”. But for less experienced users (kids, non-technical people, casual users, etc), getting infected with some sort of adware browser extensions is not all that uncommon.

Thankfully running the free version of Malwarebytes periodically seems to be all that is required, and no real harm has been done to these people, but it is certainly a very small step from an adware browser extension to stealing your online banking passwords.

Sören Nils Kuklau

> You can’t apply Windows security models to Mac

I fail to see why not.

The differences between NT and Unix are overblown. They do exist, and lead to some respective quirks (for instance, it's non-trivial in Windows to elevate a process without starting a whole new context, whereas sudo is a rather simple design in Unix), but both have some convergent evolution to many of the same principles (such as having ACLs).

[…] all, isn’t malware for Mac on the rise? Well, it is. But we need to remember one important thing here: All software viruses are malware, […]

There is no such thing as a “non-technical meaning” of “exponential”. A person who uses that word to only mean “more than” is simply using it wrong. Being misleading. Telling a lie.

João Carlos de Pinho

Some things are so fishy in this report...

According to the PDF, the overall detections on Windows machines in 2019 was 50.5 million (including adware, trojans, backdoors, spyware, worms, etc.). On the Mac platform, the top 2 threats alone (NewTab and PCVARK) had more than 50 million detections in 2019. The other Mac threats added 30 million detections to this total. So, the overall detections on Windows is 50.5 million; on the Mac side, 80 million. Does this sound believable, when we know that Macs represent only 10% of the computer market share?

The report also states that the average number of threats detected on a Mac was 11; on a Windows machine, 5.8.

Do the math:

Dividing 80 million Mac detections by 11, we conclude that their antivirus is installed in AT LEAST 7.3 million Macs. Is this plausible, considering that the worldwide Mac base is around 100 million units?

Leave a Comment