The Mac ecosystem has a reputation for being safe and secure by default, due to Apple’s strict control over its hardware and software. Apple strictly monitors the hardware production for its devices and sets tight restrictions on app developers. While Windows PCs and laptops combine hardware from hundreds of manufacturers, without Microsoft having direct control over production process, Apple computers have been traditionally considered much safer than Windows. However, the myth about Mac’s built-in immunity to malware started to be challenged in the past years and has been shattered when Pirrit and Silver Sparrow Mac malware made their way to the latest generation of Macs powered by the company’s native M1 chip.
Opener and the first generation of Mac malware threats
The modern history of MacOS began in 2001, when MacOS X 10.0 was announced. MacOS X 10.0 powered the third generation of iMacs and it was the first operating system to use Darwin, Apple’s Unix-like OS based on a hybrid kernel called XNU. A clear departure from the classic MacOS, OS X 10.0 was resistant to malware. First, many new built-in security features were leveraging the UNIX core. Second, most malware developed in the early 2000s was compiled in x86 code, which was not able to run on MacOS X devices, and was targeting Windows, the dominant operating system.
However, it didn’t take long for the first Mac malware to appear. In 2004, the Trojan Opener/Renepo was used to locate and crack passwords stored on the hard drive. Two years later, Leap-A, also called Oompa-Loompa, started spreading via iChat. Disguised as an image file, it installed itself on the system and infected Cocoa apps, such as Safari, iCal, Terminal, preventing them from running. In addition, it would send the malicious image files to all the victim’s iChat contacts.
The rise of MacBook and subsequent Mac malware
In 2006, Apple released its first MacBook powered by Mac OS X 10.4 (Tiger) and an Intel Core Duo processor with up to 2.0 GHz. It marked the company’s transition to Intel processors, which replaced the PowerPC chips used in previous devices. Its sleek design and innovative MagSafe power connector made the headlines. Since the release of the first MacBook, Apple has become the go-to choice for people looking to purchase a high-end computing device with an outstanding design: high-resolution retina displays, thin and lightweight thanks to their fanless designs.
Along with the MacBook’s growing popularity, malware targeting MacOS devices also started growing. The dominant malware categories have been adware, spyware, and web-threats such as HTML script-based attacks and Microsoft Office macro malware. Fake security apps also made their way on MacBooks: MacDefender, also known as MacProtector or MacShield, compromised more than 60,000 devices in 2011. It was promoted through malicious links spread by spamdexing (search engine spam) and tricked users into thinking their device is infected with malware by hijacking browsers to display pornography sites. Users were then prompted to buy this fake security software using their credit card. Other notable Mac malware threats were:
- Flashback or Fakeflash (2011), a fake Flash Player installer for Mac that enabled hackers to access files and install software on compromised computers.
- KeRanger (2016), the first ransomware targeting Mac users, delivered through a Trojan app on transmissionbt.com, a popular BitTorrent client.
- Snake and Proton (2017), two types of malware ported from Windows that were used to steal login credentials stored in browser-based services and even Apple’s own KeyChain.
- Shlayer (2018), another Trojan disguised as a Flash Player installer and distributed through torrents.
Pirrit and Silver Sparrow malware targeting M1-powered Macs
The first malware designed for devices powered by Apple’s own M1 chip was spotted in the wild in mid-February 2021. Its source is an adware extension for Safari – GoSearch22 – which is a version of the Pirrit advertising malware first detected in 2016. Although the response was prompt and the attacker’s certificate was revoked, it’s a clear sign that cybercriminals are quickly adapting to hardware changes.
Just a few days after GoSearch 22 was exposed, researchers from Red Canary identified a new Mac malware called Silver Sparrow. Silver Sparrow was found on 30,000 Macs running on Intel’s x86 architecture, but a second version of the malware was found on MacBook devices with Apple’s native M1 chip. It is not yet clear how the malware has been distributed, but hypotheses include malicious ads, pirated software, or the classic fake Adobe Flash Player updates. The impact of Silver Sparrow remains a mystery, as security researchers haven’t yet discovered a final payload. Even though it is not yet clear what Silver Sparrow can do to infected devices, it communicates with a control server hosted on Amazon Web Services.
How to protect your Mac from malware
Cybercriminals are swift in adapting their attacks to new hardware, and it has become clear that MacOS is not invulnerable. Even if you own a MacOS device from the latest generation, it is imperative to use additional security software. Apple does have good security features built-in, such as Apple Gatekeeper. Apple’s Gatekeeper verifies all apps before they run, reducing the risk of executing malware, and it has an integrated quarantine system. But it doesn’t provide complete protection against malware, especially when it comes to web-based threats and third-party apps.
For additional security, a dedicated antivirus is necessary. Avira Free Security for Mac provides real-time virus protection and multiple tools for enhanced privacy, including a free VPN and password manager. In addition, it can help you free up space on your Mac by removing checking and removing duplicate and junk files.
This post is also available in: FrenchSpanishItalianPortuguese (Brazil)