Skip to main content

Malware

See All Stories

Ex-NSA staffer demonstrates malware bypassing security checks in High Sierra

Security research and former NSA staffer Patrick Wardle says that he will demonstrate on Sunday a set of automated attacks against macOS High Sierra, in which he is able to bypass security checks.

The checks are ones that ask the user to confirm that an app should be granted permission to do things like access contacts or location data …


Expand
Expanding
Close

PSA: There’s a new fake Flash Player installer for Macs, and it’s nastier than usual

Macs are not immune to malware, but they are pretty well-protected. By default, macOS won’t allow unrecognized apps to be installed, and it needs the user to agree to override this. Even when they are installed, sandboxing limits the damage that can be done, which is why most Mac malware is actually adware – annoying but not damaging.

A common way for attackers to get malware onto a Mac is to disguise it as something else, to trick technically naive users into installing it. Fake installers for Adobe Flash Player are particularly favored, and Malwarebytes has found a variant that’s nastier than usual …


Expand
Expanding
Close

Mac malware discovered in the wild allows webcam photos, screenshots, key-logging

[UPDATE: Apple confirmed to us that any systems that are up to date, running El Capitan or later, are protected. We’ve also confirmed from those in the know that the issue has been fixed since around January and only affected older and out of date Macs.]

A security researcher has discovered a piece of Mac malware that allows an attacker to activate the webcam to take photos, take screenshots and capture keystrokes.

Synack researcher Patrick Wardle says that the malware has been infecting Macs for at least five years, and possibly even a decade …


Expand
Expanding
Close

Comment: The WannaCry attack should be a wake-up call for consumers, businesses and governments

The WannaCry ransomware attack may have been exploiting a vulnerability in Windows, but the lesson it provides – the importance of keeping both computers and mobile devices updated – is one applicable to all of us, Apple users included.

WannaCry itself targeted a vulnerability that had existed in Windows all the way through from XP to the latest Windows 10. Microsoft issued a patch to fix the issue for Windows Vista onwards back in March, but many organizations failed to update.

The scale of the attack – which caused widespread disruption around the world – should be a wake-up call to consumers, businesses and governments alike …


Expand
Expanding
Close

Windows backdoor malware disguises itself as Adobe Flash on macOS

Snake Adobe Flash Player malware on macOS

A new piece of backdoor malware originally discovered on Windows has found a new home in macOS. Disguising itself as a legitimate Adobe Flash Player installer, the malware burrows into pre-existing macOS folders making it harder to spot. Having used a valid developer’s certificate, the malware was set to run free on macOS even with Gatekeeper enabled.

These certificates were created to help validate applications with Gatekeeper, but lately have been used to spread malicious software. This is the second reported malware incident in the past week using a valid certificate.


Expand
Expanding
Close

Nasty Mac malware bypasses Gatekeeper, undetectable by most antivirus apps

Site default logo image

We learned recently that macOS malware grew by 744% last year, though most of it fell into the less-worrying category of adware. However, a newly-discovered piece of malware (via Reddit) falls into the ‘seriously nasty’ category – able to spy on all your Internet usage, including use of secure websites.

Security researchers at CheckPoint found something they’ve labelled OSX/Dok, which manages to go undetected by Gatekeeper and stops users doing anything on their Mac until they accept a fake OS X update …


Expand
Expanding
Close

Mac malware grew 744% in 2016, says McAfee report, but most of it is adware

Site default logo image

The latest McAfee Threat Report shows that macOS malware grew by 744% in 2016, with around 460,000 instances detected. Behind the headline number, though, are a couple of reassuring facts.

First, while Mac malware is on the increase, it is almost a rounding error when viewed alongside Windows malware. All malware detected last year combined totalled more than 600M instances. Of this, around 15M examples were mobile malware – almost all of it Android …


Expand
Expanding
Close

Comment: The Catch-22 position Apple is in regarding the iOS 9.3.5 security fix

ios-9-3-5

One of the major benefits of Apple’s ecosystem is that it’s a pretty secure environment. Take OS X (soon to be macOS). The first ever example of OS X ransomware seen in the wild was earlier this year, when it was major news. Other Mac malware exists, but it’s rare enough that individual examples make the news – and most of those require users to do something irresponsible, like install software from an unknown source.

Contrast that with Windows, where the BBC reported that the number of viruses, worms and trojans in circulation topped the one million mark as long ago as 2008. That may be somewhat exaggerated, but most sources agree that the number is in six figures.

iOS is an even more secure platform. Sure, if you jailbreak an iPhone, all bets are off, and there are ways to install sketchy apps on iOS devices using an enterprise certificate. But absent those two things, it wasn’t until this year that the first example of iOS malware was found …


Expand
Expanding
Close

Malwarebytes reports new OS X malware that could easily fool less technical users

mac-file-opener

No 9to5Mac reader is going to be at risk from malware that directs users to a scam website and asks them to download software, but Malwarebytes has discovered a previously unknown piece of Mac malware that could easily fool less technical users.

Thomas Reed, lead researcher at Malwarebytes, told us that he found the malware on a scam page hosted on the official Advanced Mac Cleaner website …


Expand
Expanding
Close

Stagefright-style vulnerability discovered in OS X and iOS, update for protection

maxresdefault

Security researchers last year discovered what they described as ‘the worst Android vulnerability ever,’ able to infect a phone with malware simply by sending an MMS message to it. The vulnerability, dubbed Stagefright, didn’t even require people to open the message for their phone to be infected.

A Cisco researcher has now discovered a similar vulnerability in OS X and iOS, that could allow an attacker to gain access to your stored passwords and files simply by sending you a malicious image file …


Expand
Expanding
Close

New Mac malware in the wild, Backdoor.MAC.Elanor – can steal data, execute code, control webcam

Site default logo image

controlpanel-1-1024x750-1

After the first ever example of Mac ransomware was found in the wild earlier this year, Bitdefender Labs has found what it tells us is only the second example of true Mac malware to enter circulation this year, which it has dubbed Backdoor.MAC.Elanor. The malware application was available on a number of (formerly?) reputable download sites such as MacUpdate.

The backdoor is embedded into a fake file converter application that is accessible online on reputable sites offering Mac applications and software. The EasyDoc Converter.app poses as a drag-and-drop file converter, but has no real functionality – it simply downloads a malicious script.

This is a nasty backdoor that can steal data, execute remote code and access the webcam, among other things …


Expand
Expanding
Close

Security firm discovers first iOS malware that can infect non-jailbroken iPhones w/o enterprise certificate

malware

Non-jailbroken iPhones are usually close to immune from malware thanks to Apple vetting every app before it’s made available in the App Store. So far, malware has relied on abusing enterprise certificates designed to allow companies to distribute apps to their own phones. But security company Palo Alto Networks has discovered a new piece of malware that can infect iPhones by exploiting a vulnerability in Apple’s DRM mechanism.

AceDeceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken.

AceDeceiver currently uses a geotag so that it is only activated when a user is located in China, but a simple switch could allow it to infect iPhones elsewhere …


Expand
Expanding
Close

Popular Instagram client removed from App Store for harvesting usernames, passwords

Screen Shot 2015-11-10 at 8.31.15 PM

Apple today has pulled a popular Instagram client from the App Store after it was found to be harvesting usernames and passwords. First noticed by developer David L-R on Twitter, the Instagram client InstaAgent has been pulled from the App Store. The app, downloaded more than half a million times, touted that it would let you see who had been viewing your Instagram profile.


Expand
Expanding
Close

A modified version of XcodeGhost remains a threat as compromised apps found in 210 enterprises

xcodeghost-s

Security firm FireEye said in a blog post that XcodeGhost – a fake version of Xcode that injected malware into genuine apps – remains a threat. FireEye has identified a more advanced version of the compromised app development tool, XcodeGhost S, which has been designed to infect iOS 9 apps and allow compromised apps to escape detection by Apple.

XcodeGhost is planted in different versions of Xcode, including Xcode 7 (released for iOS 9 development). In the latest version, which we call XcodeGhost S, features have been added to infect iOS 9 and bypass static detection.

We have worked with Apple to have all XcodeGhost and XcodeGhost samples we have detected removed from the App Store.

The company said that by monitoring its customers’ networks, it identified 210 enterprises with infected apps running inside their networks – a third of them in the USA – generating 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers … 
Expand
Expanding
Close

Security researcher finds simple way to bypass Gatekeeper and allow a Mac to run malware

Gatekeeper-bypass-hack

A security researcher has found an extremely simple way to bypass Gatekeeper to allow Macs to open any malicious app, even when it is set to open only apps downloaded from the Mac App Store.

Patrick Wardle, director of research at security firm Synack, told arsTechnica that once Gatekeeper okays an approved app, it pays no more attention to what that app does. The approved app can then open malicious apps – which Gatekeeper doesn’t check.

Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one […] His exploit works by renaming Binary A but otherwise making no other changes to it. [He then] swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants … 


Expand
Expanding
Close