In the last article we looked exclusively at Linux malware myths. In this part, both MacOS and Windows turn for a myth-busting session. First, we’ll take a look at the stubborn myths that still cling to MacOS regarding malware and its supposed invulnerability to malicious software. Then, we’ll take a look at Windows, who has been the whipping boy for these myths. Often if MacOS doesn’t get malware then the Apple fan will support their argument by pointing the finger at Windows as being the issue.
MacOS Myths
For those who have read our previous article regarding Linux malware and the stubborn myths regarding it some of these will sound awfully similar. First, we’ll cover the myths, then we’ll look at instances of MacOS malware that have surfaced in the wild to obliterate those myths.
Macs Don’t Get Malware
This myth seems to have its roots in an ad campaign Apple signed off on that essentially stated that Macs, Apple computers running MacOS about the original Apple Macintosh computers, don’t get viruses. One such ad ran in 2006 and is still available to watch on YouTube, and that still results in security researchers releasing audible sighs.
Despite the advertisement’s use of the term viruses, which was incorrectly used to describe malware on Windows machines for a time; Macs, and by extension MacOS can and does get malware infections, including malware specifically designed for the operating system.
There isn’t a lot of MacOS Malware
Similar in erroneous thinking to the market share myth regarding Linux malware, because MacOS does not share as much of the market as Microsoft’s Windows, it’s not worth it to develop malware for the platform.
The statistics just don’t support this assumption in any way. Since 2012 there has been a continued increase in MacOS malware as well as a most recent trend of cross-platform malware designed to infect Linux, MacOS, or Windows. This also does not include the potentially unwanted programs and adware that can infect Apple machines.
MacOS is Somehow more Secure than Windows
This myth likely has its beginnings when Apple chose for its Mac products to be based on the UNIX operating system standard, a mature standard deemed to be security orientated. Since then MacOS has seen several security improvements that have, unfortunately, fed the myth.
The truth is no system, even an operating system designed by Apple (sorry, not sorry, Apple fans), is not perfect and several methods have been seen that allow threat actors to bypass security features and install malware. The most recent of which was a zero-day exploit being declared and patched in 2023. The flaw was actively being exploited in the wild and impacted MacOS and iOS devices.
The counter some MacOS prophets will give to counter this reality is that MacOS comes with XProtect, an anti-malware application generally hidden from users and cannot be turned off. These are all certainly positives in MacOS’s favor. However, it should be noted that XProtect is signature-based, meaning it can only prevent malware infections that Apple security researchers have seen. Against a dreaded zero-day exploit that grants a threat actor privileged access to a machine, very little can be done bar a patch being released as a matter of priority.
MacOS Malware in the Wild
One of the myths that also still circulate the Internet is that MacOS malware, while it exists, is limited to adware and potentially unwanted programs (PUPs). This section is dedicated to showing that far more malicious forms of malware, including ransomware, can infect MacOS and iOS devices.
KeRanger
In 2016, the first detected instance of ransomware that can infect Apple machines was detected, KeRanger. Researchers from Palo Alto summarized their discovery by stating,
“On March 4, we detected that the Transmission BitTorrent client installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.
Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site (hxxps://download.transmissionbt.com/files/Transmission-2.90[.]dmg) Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.”
Calisto Backdoor
In 2018, the Calisto Backdoor was discovered after remaining undetected on infected machines for at least two years before its discovery by security researchers. In later campaigns the backdoor was distributed in the form of an unsigned DMG image posing as Intego’s Internet Security X9 for MacOS. The threat looked convincing enough to trick users, especially users not acquainted with Intego’s security application or those merely assuming it was legitimate. It should be noted that the backdoor uses a hidden directory named “.calisto” to store keychain storage data, data extracted from the user login window, network connection information, and Google Chrome data. All information that can result in significant financial loss for the victims.
OSX.Imuler Trojan
The earliest of the selected examples, the OSX.Imular Trojan was discovered in 2011. The impressive featured trojan is also capable of stealing sensitive information and dropping other malware strains. The malware’s features include:
- Take a screen shot and send it to a remote location
- List files and folders
- Upload a file
- Download a file
- Delete a file
- Create a new process
- Unzip a downloaded file and execute it
These examples provided are older than many of the current threats facing the Apple ecosystem but this was done to show how early these myths have been debunked but yet still remain.
The Big Windows Myth
In concluding, it is necessary to look at the wiping boy of the myths, Windows. Microsoft’s operating system is often seen as inherently less secure. Microsoft themselves have made several improvements to the security of the operating system that go a long way to dispel this myth. The truth is that no operating system will be inherently safe or unsafe; threats exist for every operating system, and threat actors don’t differentiate their targets based on their operating system, as this series of articles has shown.