Thursday, February 18, 2021

2021 State of Mac Malware

Malwarebytes Labs (MacRumors):

Overall Mac detections decreased by 38%, though Mac detections for businesses increased 31%

Malware accounted for just 1.5% of all Mac detections in 2020—the rest can be attributed to Potentially Unwanted Programs (PUPs) and Adware

ThiefQuest tricked many researchers into believing it was the first example of ransomware on macOS since 2017, but the malware was hiding its real activity of massive data exfiltration. It accounted for more than 20,000 detections in 2020

The full PDF report:

All that changed with macOS 10.15 (Catalina). We’ve entered a world in which no software in the entire industry can remove all components of these PUPs, because they’ve come under the protection of Apple.

Apple’s days of sitting on the fence are now over. With the protection involved in the system extension entitlement, there is no longer any middle ground. At the time of writing, Apple is implicitly siding with the PUPs, providing them protection against removal.


Notarization involves submitting apps to Apple. […] Adware developers responded in divergent ways. Some simply stopped signing their Adware, providing the user with instructions on how to bypass macOS security to run the unsigned installer. This means that they don’t have to bother with notarization, but they also don’t have to worry about Apple revoking their code signing certificate.

However, other Adware developers went the other way, and actually managed to get their malware notarized! In a number of cases, it appears to have passed the notarization checks without significant modification.


9 Comments RSS · Twitter

It's reports like these that make me so angry at Apple for shoehorning in all of these pointless, onerous, and buggy security features into macOS. They don't even solve the problem they were purportedly meant to solve! What was the point with all of us struggling with their notarization requirement if it doesn't even stop malware?

@Bri "What was the point with all of us struggling with their notarization requirement if it doesn't even stop malware?"

- Since you usually end up paying $99/year to distribute your Mac application with notarization, it's good for Apple.

- Since you have to submit your app to Apple, this gives even more control to Apple.Which is also good for Apple.

@Bri: It's called defense-in-depth. It's the same reason your toaster has a grounded plug, and your car has seatbelts. We put up with minor inconveniences in order to make disasters much less likely. If we only pursued improvements which were 100% effective in all circumstances, we'd still be sitting in caves debating the wheel.

The fact that notarization has been abused, and has bugs (so that it did not demonstrate the desired cost/benefit ratio), does not make it pointless to try. Can you propose a solution to malware which is guaranteed to work?

Clearly the spectrum of opinion ranges from "defense in depth" to "security theatre with benefits to Apple".

We put up with seat belts and grounding because they prevent us from dying (which is the worst case scenario). But we wouldn't if they just prevented us from low impact risks such as sneezing.

It rarely makes sense to buy an insurance that only covers the first $1000 dollars of your medical expenses: you're paying a lot, and losing other opportunities, for a low impact risk. It usually does makes sense to buy an insurance that provides catastrophic coverage for expenses over $1000: you're losing money which you could use for other things, but your life isn't destroyed by the high impact risk.

Notarization protects us against low impact risks: it won't defeat determined opponents, but it will harm honest brokers for whom notarization is an imposition. And it comes at a cost. Therefore I'm in the category that considers it to be security theatre.

Good solutions against catastrophic failure? Little Snitch, and other code that verifies the integrity of your system. Write-only undeletable backups. Not downloading random applications from the internet that you haven't researched. Using, but not reusing high entropy passwords. Using a few well researched extensions to cut out advertising (because advertising code runs in your browser, is not vetted by the advertising broker, and can be bought by criminals). Paying attention to the CPU loading on your computer, and noticing any new process. Being judicious as to what you allow to auto-upgrade. Etc.

"And it comes at a cost."

There's a significant cost for developers, but for users it's essentially transparent. Apple has always been willing to make developers work harder for the benefit of users. That's not new, and it's not specific to security.

"Not downloading random applications from the internet that you haven't researched."

Please, tell me what kind of "research" I should do to tell me if an application might cause catastrophic failure. I've been programming for decades and I couldn't tell you.

While it might be transparent, it's not cost free. In fact that transparency is insidious since users don't even realize the trade-off: it is not for nothing that more software is corporate VC funded, steals data, and is of the bland generic please-everyone variety that lacks any weirdness which could delight subsections of the audience. Apps that are inconvenient to the powers that be are rare and far between. Do you really think Apple would be happy to notarize Napster? Even after the RIAA asks them to stop? DivX? DeCSS? Emulators running older software which sometimes raise copyright questions? Tibetan software after China asks for its removal? Ahmadi religious software after Pakistan asks for its removal? What about software like WPS Office which the US government has banned? We'll see. But I'm pessimistic and think users will come to regret this power grab.

It seems pretty obvious to me who is a fly by night operator and who isn't. Michael, our host, has been providing tools for over a decade. It's pretty unlikely he'll turn vicious. There are others like him. In the days of Kagi, I never got burned. Of course I didn't tend to use software from brand new developers without a track record, and I checked out what the software's reputation was once it had existed for some time. Search engines, etc were my friends. And of course, I avoided pirated software since that's a very convenient malware vector.

Since you bring up programming, "Programming for decades" doesn't convey much relevant information in this case. Few Javascript jockeys can reverse engineer software or understand C/C++ properly. Other backgrounds will be more useful.

Programmers with the relevant skills can rely more on open source tools whose source code can be checked / have an open development flow / etc. Not upgrading compulsively isn't a bad idea -- each time you upgrade, that's a whole load more code to check. Tools such as lldb / dtrace / lsof and reverse engineering software are also useful. (Objective-C was nice because it was so easy to reverse-engineer). Personally, I discard any tool that engages in dubious behavior such as installing itself to launch at boot or puting stuff where it's not supposed to be. Things that try to access the internet and don't need to also get deleted. Little Snitch is my friend. And I avoid stuff that requires large runtimes (like Java).

But, ultimately, as I've pointed out before, there are no guarantees. I'm pretty paranoid. But any program could cause catastrophic failure, and the App Store won't make an iota of difference against a determined opponent. Zero days buried deeply in a spreadsheet application won't be found... nor will code running as Word macros. But my main worry is actually my web browser: a giant attack surface that is constantly modified and that needs access to the internet. Not a good combination.

Had Apple succeeded in banning Epic from developing the Unreal Engine, and they tried, many iOS / Mac games would have disappeared or not been made. Most users wouldn't have noticed, but they would have had fewer choices.

@Ted "Apple has always been willing to make developers work harder for the benefit of users."

That's funny because it's very difficult to find the benefit for users when you are asked to check the Mac of a "user" and you find dozen of adware and PUP running on it even though GateKeeper is enabled and the XProtect file being is up to date.

@someone: Can confirm: my old man’s MacBook Air caught an adware infection back in 2019, I suspect from a “PDF form viewer” app downloaded from the web. I advised installing commercial antivirus (which he did) to remove that infection and hopefully prevent any more, and maybe downloading apps from AppStore rather than the open web. Neither of which is a guarantee of safety and security either, alas. And he’s a retired EE quick to recognize phishing and other scams, so not a total idiot.

Malware is Big Organized Crime nowadays. Global, professional, and often highly skilled. (And that’s not even including state-level actors.) Whatever Apple’s doing, it has yet to deliver on all its promises. And OUG’s advice of “trust longtime independent Mac software vendors like Michael”, while delightfully retro and pleasingly loyal, is so laughably unrealistic at any modern scale as to require no further response. Those halycon days of the 1990s—when Apple was a boutique platform where everyone knew everyone else, and being a Mac Fan made you Special—are as ancient history as the Jurassic; dead and gone and never coming back.

(In fact, there’s way more chance of the dinosaurs returning than the 1990s’ software distribution model, a notion even more painfully ridiculous than Sir Dickie’s Scots.)

Leave a Comment