Home / Blog / Malware and security tools on Mac OS

Malware and security tools on Mac OS

Posted on 08/12/2016, by INCIBE
Mac OS

In general, among users of Apple computers, the existence of malware is rarely perceived as issue that requires special attention. Nevertheless, is this lack of concern valid? Are the security mechanisms of Mac OS sufficient? Is the Apple operating system really invulnerable to malware? To each of these questions, the answer is NO.

It is certainly true that the incidence of malware is minor if compared with other platforms such as Windows or Android, but the reason for that is not so much the security of the system but less interest in the platform on the part of attackers, who focus their objectives on more widely used systems. However, this reason has lost some sway in recent years, mainly due to the growth of Apple, although possibly also due to other factors such as the IoT (Internet of Things) which places us in an ever more interconnected world and has seen the emergence of multi-platform malware with versions for several systems. 

What's more, we must also bear in mind that not being among the priority objectives of malware also has its negative side; there is less knowledge about infections and the attack techniques used and, consequently, the systems of protection from them are less well developed. With Mac OS El Capitan Apple introduced a new security measure called System Integrity Protection (SIP). This measure is aimed at protecting the kernel of the operating system as well as files and critical routes against any manipulation. The details of SIP are described in detail in this article: OS X security model (II). SIP complements other previously existing measures, such as XProtect and GateKeeper which comprise the Mac OS's basic security model against unidentified software. However, the built-in protection measures in Mac OS work transparently for the user and the operating system does not provide manual or simple mechanisms to analyse security status.

All of these are reasons why it is interesting to explore the situation in relation to malware for Mac OS and what tools area available for reviewing system security.

A look at malware for Mac OS

The existence of malware for Mac OS has grown significantly since 2014 and specific versions of malware have emerged (such as ransomware) along with exploits of general products such as Java and Adobe which have been adapted to compromise Apple computers and devices. Although up to 2010 we only had testimonials to go by to measure the incidence and value of malware on Mac OS, if we look back at the last five years it is not difficult to identify several significant cases of malware on Mac OS.

In 2011 the Trojan OSX.Flashback circulated, infecting over 500,000 Apple computers and creating a botnet. This malware reached the system by exploiting a Java vulnerability through the browser by visiting a malicious website. Once downloaded to the computer, Flashback performed verifications to check for compatibility with the infected systems and the presence of antivirus tools and, if it detected an unfavourable environment, it deleted itself to avoid detection. Its main purpose was the interception of traffic and information theft according to the configuration obtained from a command and control centre.

Crisis is another example that dates from 2012 and demonstrates that Apple began to be considered a major target, being professionally developed by the company Hacking Team, which principally works with governments. Hacking Team, which was itself hacked in 2015, developed a sophisticated rootkit which was hidden in the system and allowed spying and remote control of the infected system.

In 2014 Wirelurker emerged. Its most significant feature was the use of USB ports to infect other devices, including iOS without jailbreak. It included a backdoor component that periodically established a reverse connection against a predetermined control IP address. 2014 represented a turning point in cases of malware for Mac OS, both in terms of numbers and sophistication.

Among the most recent examples are high impact cases such as XcodeGhost (2015). This was a trojan concealed in a modified version of XCode, Apple's well known development tool. Xcode is a development environment provided free by Apple; however, in places such as China its download is complicated and slow, resulting in the rapid spread of this malicious alternative. This manipulated version of Xcode included a mechanism that silently injected malicious code oriented towards stealing credentials and trojanizing the apps developed in the program, all without the programmer's knowledge. These applications were distributed when the infected developer published them in the Apple Store.

In 2016 Mac versions of ever more common ransomware emerged, with KeRanger the most well-known case of all. Thus, in March 2016 and availing of a trojanized version of Transmission (a client application of BitTorrent), the KeRanger ransomware was widely distributed when the malicious version was uploaded to the official site for download. KeRanger uses a legitimate development certificate signed by Apple and encrypts all files located under the /Users route and numerous files with a certain extension (documents, images, videos, audios, etc.) under the /Volumes route, all for the purpose of soliciting money for their recovery.


- BitTorrent Transmission for Mac OS -

Finally, another interesting case is Eleanor, a backdoor that was discovered by BitDefender in what was ostensibly a file converter app. This malware uses very sophisticated functions for the remote control of the infected system through a hidden service in the Tor network, demonstrating a design that reveals the continued evolution of malware for Mac OS.



- Eleanor. Control Panel in the hidden service on the Tor network - SOURCE: BitDefender -


It is evident that Mac OS is a platform that has begun to attract a growing interest from malware developers with a dramatic increase in cases since 2014, as confirmed by studies such as the McAfee Labs Threat Report (2016). Visually, the graphic below represents this trend:

Malware for Mac OS. Trends in the last years

- Malware for Mac OS. Trends in the last years -


Looking at these data, it is necessary to change preconceived ideas and bear in mind that taking measures to protect Mac OS has become a necessity that must be covered. The use of recognized antivirus solutions would be the most convenient way for the average user to do so but, for more advanced users, there are some valuable tools that are worth knowing and which are briefly described below.

Tools and System Analysis

Mac OS's intrinsic security measures described in the articles OS X security model (I) and OS X security model (II) provide the base of the system security, but as has been mentioned, they act transparently and have little interaction with the user. To complete a manual check of the Mac OS security status, we recommend a number of interesting security tools that allow us to see what is happening in the system more directly.


This tool performs a scan of the system in search of persistently installed software that does not show up among the recognized objects on the system. It searches for kernel extensions, programs that execute upon launch and dynamic libraries among others.

Analysis results of KnockKnock

- Analysis results of KnockKnock -



Con una funcionalidad similar a la herramienta anterior, BlockBlock actúa de modo continuo y verifica automáticamente y de forma periódica, la aparición  de nuevo software permanente como demonios  de arranque o agentes. En caso de detección se notifica su existencia al usuario para decidir el bloqueo o bien, permitir la ejecución.

BlockBlock. Blocking a suspicious process

- BlockBlock. Blocking a suspicious process -


Task Explorer

As an alternative to the Mac OS activity monitor, Task Explorer provides a deeper vision of the execution processes and their relations with the system resources. It allows us to track more directly and intuitively the environment in which a process is being executed and uses Virus Total to check any potential malicious origin.

Task Explorer scan results

- Task Explorer scan results -



This application monitors the appearance of encrypted files on the system, alerting the user to stop the process as soon as possible. It is very useful as a reactive measure against a ransomware infection.

Alert notification by Ramsonwhere

- Alert notification by Ramsonwhere -



This tool is oriented towards analysis of the operating system itself and allows for the checking of system kernel extensions. It provides information in a direct and intuitive way on related files and checks the digital signature. It also offers a built-in check with Virus Total.

KextViewr. Current kernel extension list

- KextViewr. Current kernel extension list -



Osquery is a tool developed by Facebook with support for multiple platforms and allows us to check the status of the system through simple SQL queries. It has great potential for incident analysis, as it compiles, across a set of query tables, an important volume of information on processes, connection networks, kernel modules and more very useful data, allowing for a complete system analysis in search of intrusions or security issues.

The application can be executed in interactive mode and does not need any service, providing a simple and light API:

Osquery help menu

- Osquery help menu -

To illustrate with an example, a very useful verification would be to check that processes have open listening ports.


- Osquery. Retrieving listening ports -

As we can see, Osquery does not need to know specific commands of the operating system, providing potent analysis and covering a wide range of purposes with great simplicity. It is a tool worth considering and its use facilitates many tasks and security checks.

Chkrootkit y rkhunter

Chkrootkit and rkhunter are open source tools whose purpose is to check for possible rootkit infections by checking for typical symptoms of known infections, in particular files, hidden processes and open network ports. They are widely used tools in *NIX systems. Although they prove useful for discovering hidden elements and/or operations, one must bear in mind that they have not been updated since 2014 (at time of writing). Nevertheless, it can prove interesting to check the results obtained with these tools as they can give indications as to suspicious elements.


The incidence of malware on Mac OS continues an upward trend and while it may still be somewhat far off the incidence registered for other platforms such as Windows, it is certainly true that it is growing in both complexity and numbers. Particularly worrying is the appearance of variants of ransomware, a type of malware that is set to become a major problem and that must be confronted in the battle against cybercrime. Fortunately, we can say that malware for Mac OS, although more advanced than in previous years, is much simpler to detect and eliminate than in other systems. For this task, the tools presented here can be of great use.