Mac Trojan Horse Malware Guide
(Updated and expanded for 2022)
In this updated guide, we’ll tell you everything you need to know about Mac Trojan horse malware: What it is, what it does, and how to stay safe!
What is a Trojan, exactly?
First, a clarification. When we talk about Trojan horse malware, we’re not referring to a specific type of malicious program. Rather, we’re talking about how the program infects a computer.
The name “Trojan horse” is a clue to the meaning. It comes from Greek mythology: is a reference to the stratagem that won the Trojan War.
According to legend, the Greek army had been unable to breach the walls of Troy despite a 10-year siege. So the wily King Odysseus came up with a trick. He instructed the Greeks to build a giant wooden horse, and hid inside it with an elite group of soldiers. Odysseus then had the horse delivered to the gates of Troy, while the rest of the Greeks pretended to sail away. The Trojans, believing that their enemies had finally admitted defeat, and had left the wooden horse behind as an offering, brought it into their city. That night, Odysseus and his men crept out from their hiding place, and opened the city’s gates to the waiting Greek army. Troy was sacked, ending the war.
In terms of cybersecurity, we can define Trojan horse malware as follows: A Trojan is a malicious program that pretends to be something it isn’t so that a user will install it. It looks harmless, but once it’s “inside the walls”, so to speak, its true purpose becomes apparent.
What do Mac Trojans do?
OK, so the term “Trojan” refers to the way the malware gets onto a Mac — not the functionality of the malware itself. But that makes it difficult to say exactly what a given Mac Trojan will do, since they can all behave differently!
The range of possible malicious behaviors shown by Mac Trojans is quite broad. Here’s a high-level overview of what they can do (but keep in mind that not every macOS Trojan will have all of these capabilities):
- Communicate with a command and control (C&C) server
- Upload and download arbitrary files onto an infected system
- Download and install additional malicious components, from adware and PUPs to far more dangerous second-stage payloads
- Execute arbitrary commands on a compromised Mac (with varying levels of permissions depending on the Trojan)
- Log keystrokes, take screenshots, and record audio on the infected machine
- Hijack a Mac’s computing power for cryptomining
- Use anti-detection capabilities to bypass system scans and escape notice
Are Trojans a big problem on Mac?
Arguably, Trojans aren’t just a problem on Mac, they’re the problem on Mac! Here’s why.
macOS was designed with a number of security features that prevent bad actors from infecting Macs with malware. Now, this doesn’t mean Macs are impervious to malware. They aren’t. The native Mac malware detection tool, XProtect, only provides the most basic protection, and there have been some serious problems with App Notarization in the past. In addition, a macOS 0-day can result in a full bypass of the Mac’s built-in security features. But still, all things considered, Apple has done a pretty good job of making macOS safer than Windows.
However, there’s one vulnerability that Apple can’t address through security engineering: risky user behavior. To be blunt, if a person is determined to install a malicious program on their Mac, Apple can’t do a whole lot to stop them! That’s why Mac Trojans are such a persistent problem on macOS. No matter what Apple does from a security standpoint, there’s really nothing to prevent a bad actor from creating a piece of malware and then tricking the user into running it.
Doing “something dumb”
We want to be very clear about something here. Sometimes you’ll hear Apple fans — or even people in the security community — say that the only way to get infected by a Mac Trojan is to “do something dumb”. Frankly, this is a reductive and unhelpful take.
For one thing, it overlooks the fact that modern social engineering tactics can be extremely convincing. Big tech companies, telecoms, and software developers fall for them. Average computer users can too. It doesn’t take much to fool someone into thinking that the app they’re downloading is a safe, legitimate program.
In addition, Macs are specifically marketed to people who want a computer that “just works”. Because of this, a certain proportion of the Mac user base is almost guaranteed to be non-technical. And if you’re not technically savvy, it’s going to be a lot harder for you to spot a Trojan, or know how to avoid one.
Lastly, let’s not forget that Apple’s own advertising campaigns spent years indoctrinating users to think that Macs couldn’t get malware! Apple no longer runs those ads, and in a sign of how much times have changed, the company’s VP of Software Engineering testified in court last year that there is an “unacceptable” level of Mac malware. But Apple’s marketing has had a lasting, negative effect on security awareness among Mac users.
In short, there are plenty of ordinary Mac users out there who can be tricked into running a Trojan. It’s not a question of being “dumb” at all. Fortunately, there are some simple best practices that can help you stay safe.
But before we move on to that, let’s look at some of the different Mac Trojans out there today.
What are some Mac Trojans in 2022?
Mac Trojans have been around since the early days of macOS. We’ve been tracking them from the beginning, and SecureMac researchers are credited with discovering both the Boonana and OSX/CoinThief.A Trojans.
But what about the more recent Mac Trojan horses? Here’s a sampling of some significant Mac Trojans from the past couple of years:
Attributed to an unknown APT group, WildPressure spreads through Virtual Private Servers and compromised WordPress websites. It appears to be targeted at specific users in the Middle East.
This Trojan is noteworthy in that it doesn’t target everyday Mac users, but software developers instead! XCodeSpy spreads through trojanized XCode projects (software repositories used by programmers who are building macOS apps).
Also known as WizardUpdate, this Mac Trojan disguises itself as a harmless piece of software and spreads through malicious pop-up ads. An evolving malware variant, UpdateAgent was initially an information-stealer, but is now being used to distribute adware.
This Mac Trojan horse targets cryptocurrency users, disguising itself as a crypto trading app. The bad actors behind ElectroRAT created phony companies and fake social media profiles in order to make their ruse more convincing.
A commercial spyware tool, FinSpy is sold to law enforcement agencies and governments around the world. The macOS version of this powerful surveillance suite spreads through trojanized app installers.
How to avoid Mac Trojan horses
You know what macOS Trojans are, and what they can do. Now let’s talk about the real issue: How to stay safe! Follow these four basic best practices in order to avoid Mac Trojan horses:
Download from trusted sources only
There are only two places you should ever download a macOS app from: the Mac App Store and the official website of a developer you know and trust. Avoid third-party app distribution platforms: They’re not necessary.
The Mac App Store is pretty self-explanatory, but how do you know which developers you can trust? Well, unless you’re dealing with a major company like Microsoft or something, your best bet is to simply do your own consumer research on a developer before running their software. Have they been in business for a while? Have their apps been evaluated by objective reviewers? Can you find any complaints from users about shady business practices? Do your due diligence before you install anything on your Mac.
If you’re setting up a Mac for someone who isn’t very security savvy, you can require that new apps come from the Mac App Store only. To do this, go to Apple menu > System Preferences > Security & Privacy. Under the words “Allow apps downloaded from”, select the option that says App Store.
Don’t used pirated apps
Mac Trojans are often disguised as pirated or “cracked” apps. These are unofficial or altered versions of paid apps. People use them because they want the software without having to pay for a license key.
We won’t comment on the legal or ethical aspects of using pirated software, but from a security standpoint, it’s a very bad idea. The bad guys are hoping that people’s desire to save money will override their better judgement. The unsuspecting user thinks they’re getting a free copy of Photoshop or Ableton, but instead they get malware. In some cases, the hackers even include a working copy of the pirated app in addition to the malware. This leads victims to believe that they’re in the clear, when in fact they’ve already been hacked!
In short, don’t use stolen software. Instead, look for an open-source app that offers the functionality you need. A simple web search for the paid app’s name and “open-source alternative” will usually help you find exactly what you’re looking for.
Listen to your Mac
Apple has introduced some additional macOS app safety features in recent years. These are designed to thwart Trojan horse malware. But they only work if you actually pay attention to what your Mac is telling you!
If you’re trying to install something on your Mac, and you see an alert warning you that there’s an issue, be careful! macOS will let you know if the developer of the app can’t be verified, which indicates a possible code-signing or App Notarization issue. In addition, macOS will tell you if there are signs of malware in the file you’re trying to run.
If you see one of these warnings, pay attention. Don’t try to run the app anyway — especially if the so-called developer has provided step-by-step instructions on how to bypass your Mac’s built-in security features. Bad actors use such “helpful instructions” as a social engineering tactic: an attempt to get unwary Mac users to infect themselves with malware!
Use a good Mac malware detection app
If you do all of the above, you should be reasonably safe from Mac Trojan horse malware. But it’s still possible to run into something nasty — and of course, there are other types of macOS malware in addition to Trojans.
For this reason, always use a robust and regularly updated Mac malware detection and removal tool. SecureMac’s MacScan 3 is one good option (and our personal favorite, naturally!). But there are other solid Mac security apps on the market as well. The best advice is to find one that’s reputable and that you find easy to use. A malware detection app only works if you actually use it, so look for something that’s both reliable and user-friendly! If you want to test out MacScan 3, we offer a 30-day free trial.