Trend

Malicious macOS installers

Malicious installers led to rotten Apples and adware, as adversaries continued to target macOS throughout 2021.
Pairs With This Song
Take Action

 

We’ve come a long way from hearing cries of “Macs don’t get viruses!,” and in 2021, the information security community saw more and more malware targeting macOS systems. In contrast to Windows systems, we observe far fewer malicious documents or email attachments on macOS systems. Instead, the majority of malware we observe on macOS stems from malicious installers that trick victims into thinking they’re downloading legitimate content. This approach is particularly insidious, as victims on macOS systems usually possess administrative privileges. Shlayer, Bundlore, and Silver Sparrow followed this malicious installer trend. Also, four of the eight macOS malware threats Objective-See covered in their review of 2021 relied on malicious installers for deployment.

Screenshot of a fake alert
Screenshot of a fake Adobe Flash alert

Most macOS threats we observe are malicious adware. Malicious adware is an unwanted program designed to show advertisements on a victim’s screen, often within a web browser. A good example of the potential impact of malicious adware comes from the activity cluster Red Canary tracks as Silver Toucan. This cluster discloses its own terms of service that victim hosts may use for proxy activities. Malicious macOS adware often includes tools such as MITMProxy for ad injection, which raises the privacy concern of web traffic inspection on affected hosts.

Updating the operating system and applying antimalware controls are the best defenses against malicious software on macOS. Patching to the latest version possible ensures that malware exploits are less likely to succeed. Malware authors still circulate versions of installers that exploit patched vulnerabilities, knowing that not everyone can patch their macOS system. Antimalware controls help mitigate this threat. Where possible, obtain software directly from trusted sources that sign the installers and seek notarization from Apple. Malicious software has been mistakenly notarized in the past, but each case has been rapidly found and remedied.