List of viruses and security flaws on MacOS

Apple provides several features that help the users to protect their systems and personal data from infectious applications or malware.

For example, within the macOSs, the users have the option under Settings in Security & Privacy preferences to specify the source of the software installed on their system so that no third party software installation takes place.

In addition, the Apple has its built-in anti-virus tool – XProtect that includes all the malware definitions in it. Every time when the users download an application, it checks if those definitions are present.

Despite that, there a long list Mac Malware exists in the wild. We come with a list of a few in this article – check below.

Silver Sparrow

Red Canary Security firm discovered this malware targeting Macs equipped with M1 processor. The malware, dubbed Silver Sparrow has already infected 29, 139 Macs computers. The targets are from over 153 countries including US, UK, Canada, France and Germany. It has not yet known for what extend the malware poses a threat and if all the targets having the M1 Macs.

 Pirri/GoSearch22

This is an adware application. It also targets the M1 Macs and is specially compiled for Apple’s ARM platform. Like other adware, it delivers various intrusive advertisements.

FakeFileOpener

This app is endorsed as a system optimizer. However, it is a potentially unwanted application that suggests users with pop-up that they require certain software to open an app and offer the help for searching such software on the web. In other case, people are receiving fake system infection message. The software pushes some other unwanted apps are offered to download to delete the non-existing issues.

ThiefQuest (aka EvilQuest)

The malware is spreading via pirated software found on a Russian torrent forum. When it was first observed in 2017, it was taught to be a ransomware. However, it does not act like ransomware-type viruses. It encrypts files but provides no proof to the users to pay the ransom and subsequently decrypt their files. Rather than extorting the ransom, the malware is trying to obtain the users’ data.

LoudMiner

LoudMiner, aka Bird Miner is a cryptocurrency miner. It attempts to use Mac’s power to generate revenue. It was firstly observed in 2019. A cracked installed, Ableton Live is used to distributing this malware.

SearchAwesome

This is an adware for MacOS, observed in the wild in 2019, disturbing the users to with intrusive advertisements after encrypting their web traffic.

FakeAV

This is a generic name given to malicious pieces of software that pretend to be Antivirus applications for MacOSs.

GravityRAT

GravityRAT, as the suffix shows, a Trojan type of malware. Kaspersky, security research, said, the malware can affect Mac devices too. RATs can upload office files, take automatic screenshots and record the keyboard logs. They infiltrate systems by stealing developer certificates and then create a multiple copies of various legitimate programs from .net, python and Electron.

XCSSET malware

This malware is distributed through Xcode projects posted on Github. The malware is actually a worn that exploits vulnerabilities in Webkit and Data Vault. It aims to collect the log-in details for Apple, Google, Paypal and Yandex services via the Safari browser. Also, it can collect the information and messages sent through Skype, Telgram, QQ and Wechat.

OSX/ Shlayer

Based on Intego, a new variant of OSX/Shlayer malware was found being distributed through fake Flash Player installer in Feb, 2018. In the course of the installation, the installer dumps a copy of Advanced Mac Cleaner. It states that the users’ device has been infected and they need to use the software to solve the issue.

If you receive such a message, never believe in it often tells about that the Adobe Flash player needs to be updated, as it is just a scam.

 Intego discovered this new Trojan being used to circumvent MaOS Catalina’s security messages as it launches an installation guide that guides users all necessary steps.

OSX/ CrescentCore

This app can be found on multiple websites that could be pretend as a comic-book-download site. Such sites can also be shown on Google Search results. CrescentCore is disguised as a DMG file of fake Flash Player installer. Before that, it checks the system if it is virtual machines and would look for antivirus tools. When the machine is unprotected, it installs a LaunchAgent, an Mac named Advaced Mac cleaner Safari extension.

Crescent Core can bypass Apple’s Gatekeeper as it had a singed developer certificate from Apple. But, in this case, the signature is eventually revoked by Apple. Although the Gatekeeper should stop it, it can get it through.

OSX/Linker

It was spotted in 2019 to be distributed through an exploit in a zero-day-vulnerability in Gatekeeper. The vulnerability was disclosed in on that year by the same person who discovered the malware on  24th of May after when Apple failed to fix the vulnerability in 90 days.

OSX/NewTab

This malware adds a tab to Safari web browser. It is digitally signed with a registered Apple Developer ID.

NetWire and Mokes

Intego described it as a backdoor malware – malware with capability to record keystroke, take screenshots.

CookieMiner

It is a cryptocurrency miner virus discovered at the end of January 2019. The malware is designed to steal users’ password and log-in data for the cryptowallets from chrome and obtain the authentication to use cookies associated with the cryptocurrency exchanges and access to the iTunes backups. Unit 42, the researcher who discovered this threat, suggest users that their browsers should clear and all the caches should be removed after using any financial accounts.

Mac Auto Fixer

It is a potentially unwanted program that often comes in bundled with other software on system. It shows pop-ups and various intrusive advertisements.

Mshelper

This is a cryptominer that spotted first in the wild 2018. The victims reported their fans started running faster than ever before when the malware infiltrates their systems, leading the system running hotter than usual – an indication that the background processes were hogging the resources.

MaMi

The malware was first reported by Hacker News. It reroutes the online traffic to malicious servers and can interrupt the sensitive information. The malware is also capable of installing a new root certificate to intercept the encrypted communications.

DoK

CheckPoint Software Technologies spotted this malware at the end of April 2017. The malware is a Trojan horse, capable to bypass Apple’s protection and could hijack all traffic entering and leaving the Mac even without taking users’ permission for that and on SSL-TLS encrypted connections. The malware targets the users through spam email campaign. You require not to respond any emails that seem suspicious and irrelevant, if you want no such malware infiltrates your system.

X-agent

The malware is capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on the Mac. It is targeting Ukrainin military and was thought to be the work of APT28 cybercrime group.

MacDownloader

Security researchers warned users in 2017 about this threat that the malware was found to be lurking in a fake update to Adobe Flash. When the installer is run, people got an alert than an adware is running on Mac. However, when the users click on the Remove button, and when enter any password on the Mac, the malware attempts to transmit these data to a remote server. To avoid such an attack, you should check on Adobe’s site to see if there is an update to flash released.

Fruitfly

The malware is capable of capturing screenshots and webcam images and the information about the devices connected to the network.

Pirrit

The malware, in 2016, April, found to be hidden in a cracked version of Microsoft Office of Adobe Photoshop. According to Cyberreason researcher, Amit Serper, the malware could gain root privileges and create a new account in order to install new software.

KeRanger

Keranger is a ransomware – a file encrypting malware observed at the first time to be targeting Mac operating systems on March, 2016. The malware was distributed along with a version of a piece of software named Transmission torrent client.

Jin Chen and Claud Xiao from Palo Alto Network explains how the KeRanger works. Here, what they said, “The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to be still under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their backup data.

“Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.”

Safari- get

Malwarebytes started documenting Mac-targeted denial-of-service attacks originating from tech support website in November, 2016.  As per the findings, like other attacks, it depends on a social engineering or user error like when users click on certain link and the malware is installed on the device. The attacks could be of two types depending upon the Version of Mac – either mail are hijacked and forced to create vast number of draft emails or iTunes are forced to open multiple times. However, the end goal is the same – that is to overload the system memory and force a shutdown or system freeze.

 Take care of system vulnerability

Not all vulnerability gets exposed, but this is these vulnerabilities only that crooks are relying on to hijack Macs. Here are the common cases when exploit in the vulnerability of Mac leads malware infection:

Meltdown & Spectre

In January 2018, Macs, iPhones and iPads were affected by flaws in their chips and the Apple highlighted that: These issues apply to all modern processors and affect nearly all computing devices and operating systems.”

According to the Apple, the spectre could be either “bounds check bypass,” or “branch target injection” that make items in kernel memory available to user processes.

The company issued patches for the Meltdown flaw and advises users to use only official sources for any software download, in order to protect form these vulnerabilities.

Zoom Vulnerability

The vulnerability in the video conferencing app was revealed in June. Then, the people’s video calls could easily be added without their permission – the Mac webcam always activated.

This zero-day vulnerability has been discovered in advanced by due to failure in acting within 90 days, it was publicized. Following to this disclosure, both Zoom and Apple addressed the vulnerability.

Word macro viruses

Applications like Microsoft Office, Excel and PowerPoint allowed macro programs to be added in their document, resulting in the macros run automatically with these documents.

Mac versions had no problem to this since 2008 as then the Apple removed the macro support. But in 2011, this feature was reintroduced and in February, 2017, there was a malware with a name Word macro discovered.

This malware runs a python code for functioning as a keylogger and also acts as screenshot taker. It could even access to the webcam.