Mac Malware Notebook

Mac malware to watch out for

Ransomeware on iMac
Ransomware is just one of the many malware threats targeting your Mac. Tumisu /CCO Creative Commons

Apple and the Mac have had its share of security concerns over the years, but for the most part, there has not been much in the way of widespread attacks. Naturally, that leaves some Mac users wondering if they need an antivirus app.

But hoping that the Mac's reputation is enough to hold back an onslaught of malware coders is not very realistic, and the Mac in recent years is seeing an uptick in malware targeting its users. Regardless of the reason why, Mac malware seems to be on the rise, and our list of Mac malware can help you keep on top of the growing threat.

If you find yourself needing a Mac antivirus app to detect and remove any of these threats, take a look at our guide to the Best Mac Antivirus Programs.

FruitFly - Spyware

What It Is
FruitFly is a variant of malware called spyware.

What it Does
FruitFly and its variant are spyware designed to operate quietly in the background and capture images of the user using the Mac's built-in camera, capture images of the screen, and log keystrokes.

Current Status
FruitFly has been blocked by updates to the Mac OS. If you're running OS X El Capitan or later FruitFly should not be an issue.

Infection rates appear to be very low perhaps as low as 400 users. It also looks like the original infection was targeted at users in the biomedical industry, which may explain the unusually low penetration of the original version of FruitFly.

Is it Still Active?
If you do have FruitFly installed on your Mac, most Mac antivirus apps are able to detect and remove the spyware.

How it Gets On Your Mac

FruitFly originally was installed by tricking a user to click on a link to start the install process.

Mac Sweeper - Scareware

What It Is
MacSweeper may be the first Mac scareware ​app.

What it Does
MacSweeper pretends to search your Mac for problems, and then tries to exact payment from the user to "Fix" the issues. 

While MacSweeper's days as a rogue cleaning app were limited, it did spawn quite a few similar scareware and adware based apps that offer to clean your Mac and improve its performance, or examine your Mac for security holes and then offer to fix them for a fee.

Current Status
MacSweeper has not been active since 2009, though modern variants appear and disappear often.

Is it Sill Active?
The most recent apps that used similar tactics is MacKeeper which also has a reputation for embedded adware and scareware. MacKeeper was also considered difficult to remove.

How it Gets on Your Mac
MacSweeper was originally available as a free downloaded to try out the app. The malware was also distributed with other applications hidden within the installers.

KeRanger - Ransomware

What It Is
KeRanger was the first piece of ransomware seen in the wild infecting Macs.

What it Does
In early 2015 a Brazilian security researcher published a proof-of-concept bit of code called Mabouia that targeted Macs by encrypting user files and demanding a ransom for the decryption key.

Not long after Mabouia experiments in the lab, a version known as KeRanger emerged in the wild. First detected in March of 2016 by Palo Alto Networks, KeRange spread by being inserted into Transmission a popular BitTorrent client's installer app. Once KeRanger was installed, the app setup a communication channel with a remote server. At some future point, the remote server would send an encryption key to be used to encrypt all of the user's files. Once the files were encrypted the KeRanger app would demand payment for the decryption key needed to unlock your files.

Current Status
The original method of infection using the Transmission app and its installer has been cleaned of the offending code.

Is it Still Active?
KeRanger and any variants are still considered active and it is expected that new app developers will be targeted for transmitting the ransomware.

You can find more details about KeRanger and how to remove the ransomware app in the guide: KeRanger: The First Mac Ransomware in the Wild Discovered.

How it Gets on Your Mac
Indirect Trojan may be the best way to describe the means of distribution. In all cases so far KeRanger has been added surreptitiously to legitimate apps by hacking the developer's website.

APT28 (Xagent) - Spyware

What It Is
APT28 may not be a well-known piece of malware, but the group involved in its creation and distribution certainly is, Sofacy Group, also known as Fancy Bear, this group with affiliation to the Russian government was believed to be behind cyberattacks on the German parliament, French television stations, and the White House.

What it Does
APT28 once installed on a device creates a backdoor using a module called Xagent to connect to the Komplex Downloader a remote server that can install various spy modules designed for the host operating system.

Mac-based spy modules so far seen include keyloggers to grab any text you enter from the keyboard, screen grabbing to allow attackers to see what you are doing on the screen, as well as file grabbers that can surreptitiously send copies of files to the remote server.

APT28 and Xagent are designed primarily to mine the data found on the target Mac and any iOS device associated with the Mac and deliver the information back to the attacker.

Current Status​
The current version of Xagent and Apt28 are considered no longer a threat because the remote server is no longer active and Apple updated its built-in XProtect antimalware system to screen for Xagent.

Is it Still Active?
Inactive - The original Xagent appears to no longer be functional since the command and control servers went offline. But that's not the end of APT28 and Xagent. It appears the source code for the malware has been sold and new versions known as Proton and ProtonRAT has started making the rounds

Infection Method
Unknown, though the likely hood is via a Trojan offered via social engineering.

OSX.Proton - Spyware

What It Is
OSX.Proton is not a new bit of spyware but for some Mac users, things turned ugly in May when the popular Handbrake app was hacked and the Proton malware was inserted into it. In mid-October the Proton spyware was found hidden within popular Mac apps produced by Eltima Software. Specifically Elmedia Player and Folx.

What it Does
Proton is a remote control backdoor that provides the attacker root-level access allowing the complete take over of your Mac system. The attacker can gather passwords, VPN keys, install apps such as keyloggers, make use of your iCloud account, and much more.

Most Mac antivirus apps are able to detect and remove Proton. 

If you keep any credit card information within your Mac's keychain, or in third-party password managers, you should consider contacting the issuing banks and ask for a freeze on those accounts.

Current Status
The app distributors who were the targets of the initial hack have since cleared the Proton spyware from their products.

Is it Still Active?
Proton is still considered active and the attackers will likely re-appear with a new version and a new distribution source.

Infection Method
Indirect Trojan - Using a third-party distributor, which is unaware of the presence of the malware.

KRACK - Spyware Proof-of-Concept

What It Is
KRACK is a proof-of-concept attack on the WPA2 Wi-Fi security system used by most wireless networks. WPA2 uses a 4-way handshake to establish an encrypted communication channel between the user and the wireless access point.

What it Does
KRACK, which is actually a series of attacks against the 4-way handshake, allows the attacker to gain enough information to be able to decrypt the data streams or insert new information into the communications.

The KRACK weakness in Wi-Fi communications is widespread affecting any Wi-Fi device that is using WPA2 to establish secure communications.

Current Status
Apple, Microsoft, and others have either already delivered updates to defeat the KRACK attacks or are planning on doing so soon. For Mac users, the security update has already appeared in the beta's of the macOS, iOS, watchOS, and tvOS, and the updates should be rolled out to the public soon in the next minor OS updates.

Of a greater concern is all of the IoT (Internet of Things) that use Wi-Fi for communications, including home thermometers, garage door openers, home security, medical devices, you get the idea. Many of these devices are going to need updates to make them secure.

Be sure and update your devices as soon as a security update becomes available.

Is it Still Active?
KRACK will remain active for a long time. Not until every Wi-Fi device that uses WPA2 security system is either updated to prevent the KRACK attack or more likely retired and replaced with new Wi-Fi devices.

Infection Method
Indirect Trojan - Using a third-party distributor, which is unaware of the presence of the malware.

Was this page helpful?