Six Colors
Six Colors

by Jason Snell & Dan Moren

Support this Site

Become a Six Colors member and get access to an exclusive weekly podcast, community, newsletter and more.

By Jason Snell

Sleazy adware targets Mac users–and Apple steps up its game

Image from Malwarebytes report.

Malwarebytes, a company that sells anti-malware software, came out with its annual report on the state of malware this week. It has fed a bunch of overhyped headlines around the web about malware on the Mac growing rapidly. What it really reveals is that the Mac is increasingly a target for annoying adware apps—which isn’t quite the same as malware. Meanwhile, Apple has also been adjusting its policies and adding new features to fight the spread of this stuff.

Malwarebytes reports:

…most Mac threats, and certainly the most prevalent ones of 2019, are families of adware and potentially unwanted programs (PUPs). The most common Mac malware family, OSX.Generic. Suspicious, fell well down the list at 30th place in Mac- specific detections, and hundreds of spots down on a cross-platform threat list.

The key here is to differentiate between adware, PUPs, and malware. The top 29 bad actors tracked by Malwarebytes in 2019 were adware or PUPs, which are annoying and disingenuous but not considered actually harmful. The big new entry in 2019 was called New Tab and is a browser hijacker.

It’s worth considering the tools Apple has at its disposal to make the Mac safe from questionable software. First, there’s the Mac App Store, which has a rigorous approval process that blocks most or all of the techniques that these sorts of apps use. Occasionally something leaks through, but those mistakes are rare and rapidly corrected. If you’re only downloading software from the Mac App Store, you’re pretty much safe.

Next is Apple’s relatively new notarization process. Sofware developers now have to pass their apps through an automated analysis on an Apple server, and then Apple cryptographically signs the app. Apps that fail some checks can be rejected, and Apple can remotely kill those apps if they are found to be behaving badly.

And then there’s Gatekeeper, which scans apps when you launch them and doesn’t let them run unless they pass a bunch of checks. Depending on your Mac’s security settings, Gatekeeper can prevent the launching of software that doesn’t pass muster.

The Malwarebytes report covers the entirety of calendar year 2019, but in November Apple actually stepped up its efforts to identify problematic software and clarified some of its policies to give it wider latitude to shut off software that doesn’t quite fit the definition of malware. Apple pointed me to this note to developers that specifies what kinds of software will be considered for removal. There are three kinds:

  • Deceptive apps that misrepresent functionality, mimic other software, make misleading claims, or consume resources without user content.
  • Difficult to remove apps that fight to stay on your Mac, want to charge you a fee to remove themselves, or display ads outside the app.
  • Apps that degrade security or privacy and are therefore more classic definitions of malware. This category also includes apps that violate a user’s privacy expectations by transmitting sensitive data elsewhere that is contrary to the stated purpose of the software.

Now, does this mean that Apple is going to shut down all of those apps that claim to clean your system and keep it running smoothly? Though most Mac experts would suggest that such apps are not really necessary, it’s an arguable point—and Apple appears to be erring on the side of allowing apps in that gray area to exist. At least, so long as they don’t violate other aspects of its policies. (The FDA doesn’t prohibit homeopathic remedies, either.)

It seems that many of the items in Malwarebytes’ report have gotten the hammer from Apple and are no longer actively circulating. The report’s long list of Mac software is an alert that the Mac is now a much more enticing target for makers of adware and other scam software. It certainly can’t be a coincidence that Apple is stepping up enforcement of its policies at the same time that the number of these sleazy apps is increasing.

There is also one very interesting observation in the Malwarebytes report that gives me pause, as someone who uses the Mac’s unix underpinnings to drive a lot of automation:

We expect to see that trend continue in 2020 as Apple tightens the requirements and conditions for checking, code signing, and notarization. Since shell scripts are exempt from these restrictions, we expect to see them used more and more by malware.

I would imagine that future versions of macOS will make it harder to run arbitrary shell scripts, which is a bummer—but if that’s where the scoundrels are heading, Apple’s security team will have to chase them there. This is why we can’t have nice things.

As the creators of anti-malware software, Malwarebytes is perfectly positioned to understand these trends, and their report is full of valuable information. At the same time, their business also potentially benefits if Mac users are more fearful about malware. And Malwarebytes’s Mac expert, Thomas Reed, stoked those fears in an interview with Recode:

There is a rising tide of Mac threats hitting a population that still believes that ‘Macs don’t get viruses,'” Reed said. “I still frequently encounter people who firmly believe this, and who believe that using any kind of security software is not necessary, or even harmful. This makes macOS a fertile ground for the influx of new threats, whereas it’s common knowledge that Windows PCs need security software.”

It’s valid to wonder if the Mac’s reputation for being a safe harbor leads some Mac users to make bad security choices. But “Macs don’t get viruses” is a statement that is still overwhelmingly true. Even if it makes it awfully hard to sell Mac anti-malware software.

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.