With more than 4 months to go before the year ends, this year has already seen more Mac specific malware than any other. Is this finally the end of Mac OS’s reputation as relatively virus-free?
Obviously, Macs have never been totally virus-free. Compared to Windows malware however, the amount of Mac targeted malware has always been minimal. This has largely been due to the substantially smaller market share of Mac OS X. With far fewer users to target compared to Windows, malware creators didn’t have enough incentive to develop as many viruses for Apple’s personal computing platform.
Interestingly, this year has been quite different in regards to Mac malware activity. According to Malwarebytes, not only was there a 230% year-on-year increase in Mac malware last July, the first half of 2017 has already seen more Mac malware than all of 2016 or indeed, any other year. While we’re accustomed to seeing more malware year after year, Mac focused malware is a bit different.
Could the significant uptick in Mac malware due to a corresponding increase in user base? Not really. In fact, OS X market share hasn’t changed significantly since last year.
Malware in the App Store
What makes this surge even more alarming is that a significant amount of malware has managed to invade even the App Store. Apple is known to be very thorough in screening the applications that make it to the Mac App Store.
They review each app for objectionable content, acceptability, app completeness, hardware compatibility, intellectual property, spam, ability to inflict harm, and a host of other criteria. Apple has even been quick to pull apps from the store if they’re later found to be problematic.
Apple touts the App Store as the safest place to download apps and many users believe that to be wholly accurate. This false sense of security leaves them more vulnerable to attacks as they are perhaps not as vigilant or discerning as they might be on another platform.
Proton RAT leads off 2017 surge
One of the biggest threats to emerge this year was a RAT (Remote Access Trojan) known as OSX.Proton.B or simply Proton. Being a RAT, Proton takes the form of a legitimate application accompanied by a back door that provides administrative control to a victim’s system.
During one campaign, Proton handlers were able to modify Handbrake, an app built to convert video files. Proton’s handlers infiltrated one of Handbrake’s download mirrors, enabling them to replace the app’s DMG file with a modified version infected with Proton code.
Once the compromised application is installed onto a victim’s device, the Proton RAT kicks in. Proton can carry out several malicious acts, including: recording keystrokes, stealing passwords, controlling the webcam, allowing remote access, and gaining access to the user’s iCloud account.
Proton can be installed surreptitiously because the malware uses genuine Apple code-signing signatures. This allows it to bypass Apple’s Gatekeeper, an OS X feature that blocks apps if they aren’t digitally signed using a valid Apple Developer ID.
Proton’s existence was uncovered when researchers from cyber security firm Sixgill chanced upon a post on a notorious Russian cybercrime message board. The post introduced Proton as the “Newest and only macOS RAT in the market.” Originally priced at approximately 100 BTC (bitcoin), which was equivalent to about $100,000 at the time, Proton was out of reach for most.
Another piece of Mac malware that emerged this year is Findzip. Ransomware has been gaining a lot of notoriety lately, so people in the Mac community were rightly alarmed upon learning that one of the the biggest malware threats in the world today is now right on their doorstep.
Findzip is usually disguised as a crack for either Adobe Premier Pro or Microsoft Office. Being a crack, it doesn’t go through the normal Mac application installation process. People who use cracks typically employ workarounds to bypass Apple’s security measures meant to prevent the installation of malicious programs. Of course, the use of these workarounds plays right into the hands of Findzip’s operators.
Unlike Proton, Findzip isn’t digitally signed using an Apple-issued certificate. As such, it will be considered as coming from an unidentified developer, marked with a ‘quarantine’ flag, and ultimately denied installation. Well and good, but that doesn’t stop Findzip from getting through.
Normally, apps that aren’t downloaded from the App Store, are downloaded through a Web browser. Some popular web browsers are designed to identify the quarantine flag as well as invalid signatures- so if a user attempts to open such a DMG file, the system will prevent the file from being opened.
Alas, people who want to install cracked applications and other pirated software don’t go down that route. Instead, they download files through alternative means, usually torrents. Torrent clients don’t set the quarantine flag when they download a file. Thus, when the user opens the DMG file, the system won’t be able to do anything about it.
It’s comforting to note however that 1) Findzip will not be able to affect users who download apps through legitimate means and 2) it’s now easy to find tools or methods for decrypting files encrypted by Findzip. In fact, if you google for ‘findzip ransomware’, the first search results actually point to removal/remediation solutions, and not just information about the malware itself.
Flashback to Flashback?
The last time there was a surge of Mac malware activity of this magnitude was in 2011-1012, when the Flashback Trojan struck. Flashback was said to have infected about 600,000 Macs then. That number amounted to more than 1% of the total number of Macs at that time.
Taken individually, none of the Mac malware detected this year appear to have infected as many devices as Flashback. The Flashback outbreak remains the largest Mac-based malware outbreak in history, but 2017 shows a disturbing trend that all Mac users should pay close attention to.