Mac Malware in 2020
There were lots of big Apple news stories in 2020, but last year was also noteworthy in terms of macOS malware.
We’ll look back at 5 of the most significant Mac malware finds of 2020. We’ll talk about what each variant of malware does, and how it works; and we’ll also consider the bigger picture, telling you what we think it means for the future of Mac security, and what you can do to stay safe.
What it is: FinSpy is commercial spyware. It is manufactured by a private company and sold to law enforcement and intelligence agencies around the world. Until last year, it was not thought to affect Mac users; however, in September 2020 security researchers at Amnesty International announced the discovery of a macOS variant of FinSpy. The malware appeared to be spread through a Trojanized app installer, and relied on older macOS exploits or, failing that, the kind of social engineering tactics so often seen in other kinds of Mac malware.
What it means: FinSpy is a commercial product used by nation-state actors. The fact that FinSpy’s manufacturers decided to produce a Mac version of their software suggests a demand for it, which in turn indicates that macOS users are undeniably “on the radar” of governments, intelligence agencies, and law enforcement. This also jibes with what we’ve seen on the iOS side of things. NSO Group’s Pegasus spyware was recently used to hack iPhones belonging to journalists in the Middle East, and researchers attributed that campaign to government actors. Earlier in the year, there were reports of an iOS version of LightSpy malware being used in real-world attacks; this was thought to be the work of an APT group, and thus likely connected to a nation state.
Staying safe: In the coming year, Mac users should be prepared for the possibility of more and better malware originating from nation-state actors, their APT proxies, or third-party vendors like FinFisher and NSO Group. In this environment, it will be more important than ever to keep your operating systems up to date; to avoid software that comes from unknown or untrusted sources; and to handle all incoming emails and links with greater vigilance.
What it is: GravityRAT is a spyware tool that gives malicious actors remote access to an infected system; this access can include the ability to exfiltrate data and execute commands. Like FinSpy, this malware has been around for some time as a Windows threat. But in October 2020, researchers at Kaspersky published a report detailing GravityRAT variants for macOS; the same report also announced Android versions of the malware. On macOS, GravityRAT’s infection vector appears to be Trojanized applications.
What it means: GravityRAT is another example of a Windows malware threat being ported to macOS, and we expect to see more of this in the future. Developing malware takes time and effort, and for many years it was simply not profitable for cybercriminals to write malware for macOS. However, the increasing prevalence of Macs — especially in enterprise environments — has incentivized the development of malware that specifically targets macOS, and this has resulted in a sharp spike in Mac malware. Repurposing older Windows and Linux malware for use on macOS is one way to create “new” Mac malware quickly and efficiently, and will likely be an attractive option for many bad actors.
Staying safe: In the year ahead, keep an eye on security news outlets for alerts about “new to Mac” malware variants. Note that many of these may come in the form of malicious downloads, but without being properly signed or notarized. Such apps will be flagged by macOS, and will only run if users are tricked into ignoring system alerts or bypassing basic macOS protections. For this reason, it will be more important than ever to ensure that downloads come from trusted sources only, and to pay attention to any dialogs or warnings that your Mac displays.
What it is: XCSSET is a suite of malicious components that has been found in infected Xcode projects. Xcode is a tool used to write macOS software, and thus XCSSET is primarily of concern to app developers. Nevertheless, the malware also has implications for everyday Mac users, as we will see. XCSSET spreads through infected Xcode projects; if a developer downloads an infected Xcode project and uses it to build an app, their system may be compromised. The malware suite contains credential theft, data exfiltration, and ransomware capabilities. Because many developers share their projects with one another on public code repositories like GitHub, XCSSET may spread from one infected project to many others, a behavior which led its discoverers to call it a “supply-chain-like attack”.
What it means: XCSSET is a good reminder that bad actors are now targeting developers directly, and can use public code repositories like GitHub or Bitbucket to spread malicious software. While XCSSET itself is likely to impact developers more than everyday users, the practice of going after software that will later be used by others — the “supply chain attack” model — is something that all users need to be aware of. The SolarWinds hack is the most dramatic example of the danger posed by such attacks, but less spectacular versions of the same tactic are used regularly by e-skimmer fraudsters, and have recently become an IoT security concern as well.
Staying safe: The responsibility for defending against supply-chain attacks belongs to developers and website owners, and it can be difficult to protect yourself when a trusted provider has been compromised — but there are some precautions you can take. In terms of website security, try to enter financial details on as few sites as possible, and opt for secure payment methods like Apple Pay if possible. You may also want to consider using an outbound firewall app like LuLu or Little Snitch, as these tools can help you catch suspicious traffic that’s leaving your Mac. If the worst happens and you are infected with malware, an outbound firewall may be able to help you block the malware from contacting its command and control (C&C) server and doing further damage.
What it is: ThiefQuest is hybrid Mac malware that contains spyware, data exfiltration, and ransomware capabilities. Ransomware is extremely uncommon on macOS, and this alone makes ThiefQuest notable. However, the malware’s ransomware functionality appears to be poorly or incompletely implemented, leading some researchers to speculate that it may be intended to distract infected users from the malware’s true purpose: surveillance and data theft. ThiefQuest also contains a number of other interesting features, including anti-detection and anti-analysis capabilities, as well as the ability to reproduce itself virally on an infected system.
What it means: ThiefQuest is an original, sophisticated, and multifaceted piece of Mac malware — and is thus an excellent example of what security researchers mean when they say macOS threats are evolving. Researchers believe that the malware is still under active development by its authors, which leaves the door open to a more powerful or a more fully featured version of ThiefQuest appearing in the future. The fact that someone out there is writing new and powerful Mac malware is yet another sign that the macOS threat landscape is changing, and changing rapidly. To anyone who has been following Mac security news and research for the past several years, this should come as no surprise, but this new reality may catch many Mac users off guard.
Staying safe: ThiefQuest is spread via Trojanized versions of pirated software, which is a common macOS malware infection vector. The prevalence of malicious “cracked” apps is a compelling reason to avoid pirated software (in addition to the ethical and legal issues). If you want to stay safe, keep away from pirated apps, and look for a reputable open-source software alternative instead. The fact that ransomware is now becoming “a thing” on macOS is also significant, and something that Mac users should factor into their incident mitigation and recovery strategies. In particular, all users should perform regular backups of important files: In the event of a ransomware infection, it is essential to have the ability to restore your data from a backup instead of paying the ransom! If you haven’t implemented a backup system yet, it’s definitely time to do this — consider it your first cybersecurity New Year’s resolution of 2021!
Shlayer (Apple-approved variant!)
What it is: Shlayer is a macOS Trojan that is used to install adware. It’s extremely common, with some analysts estimating that the Shlayer malware family infects as many as 1 in 10 Macs worldwide. Ordinarily, Shlayer malware would not be newsworthy, but in August 2020, security researchers discovered a variant that had actually gone through — and passed — Apple’s app notarization process! App notarization is an automated system that checks apps for code-signing issues or evidence of malicious components. All developers have to submit their apps to Apple’s notarization service before they are allowed to run on macOS; if an app hasn’t passed the notarization process, Gatekeeper will block it from running. At least, that’s what’s supposed to happen, but it seems that something went seriously wrong last summer.
What it means:A pp notarization and native security features like Xprotect are meant to give Mac users a degree of basic protection against malware. These tools do a decent job, but with macOS threats increasing, and with more sophisticated Mac malware variants on the rise, Apple simply isn’t going to catch everything. Apple’s “approved” version of Shlayer, one of the best-known Mac malware threats in the world, is a prime example of this. But there have also been other incidents that raise questions about Apple’s app review process, including the presence of data harvesting and cryptomining apps in the Mac App Store.
Staying safe: Apple has a well-deserved reputation for security, but no system can ever be 100% safe, and with the current increase in macOS threats, users should not rely exclusively on the platform’s native protections. So what can be done to make your Mac more secure? The first, best defense against Mac malware is…you! You can go a long way to keeping yourself safe by learning how to spot phishing attacks; paying attention to system dialogs and alerts; only running apps from trusted developers; and following other basic best practices. In addition, try to keep up to speed on the latest developments in Mac security. There is a wealth of information available through social media channels, podcasts, or security news outlets, so take advantage of it. Lastly, always use a reputable and regularly updated malware detection and removal tool on your system; such tools can help keep you safe from newer Mac malware threats, or from known malware that has somehow slipped through Apple’s defenses.
2021 will no doubt bring new security challenges for Mac users, but reviewing the past year’s Mac malware can give us some idea of what we’re likely to be up against.