Malwarebytes: Macs Outpaced PCs in Number of Malware Threats Detected Per Endpoint in 2019, But Most Are Adware

Narg

macrumors member
Jan 23, 2008
93
42
Viruses and unwanted programs today do not attack the computer. They attack the user. So adware is how these programs get into your computer. An increase, especially a sharp increase, of adware attacks shows that the malicious folks are preying on Mac users. Too many here are discrediting this due to "oh it's just adware" when that is the REAL problem today.

Mac users need to get off their high-horse and realize they are vulnerable. Very vulnerable.
 

maflynn

Moderator
Staff member
May 3, 2009
65,650
31,867
Boston
I can't say that I'm surprised simply due to the fact that so many mac owners that I know have an attitude that Macs can't get these sorts of things and so antivirus is totally unnecessary.

Having a head in the sand attitude could lead to issues, that is If people are not vigilant, then getting malware is a very real possibility.
 

star-affinity

macrumors 65816
Nov 14, 2007
1,090
424
Just cleaned out a system that had malicious profiles installed the other day. There is a pane in System Preferences called “Profiles” that contains a bunch of, well, profiles. It's normally not visible, and I'm honestly not sure whether it's a legitimate pane or something installed by malware. In any case, it somehow allows the OS to control certain aspects of various applications; in this case, it set the default search engine for Google Chrome to some adware site. Attempts to change that setting in Chrome failed, with Chrome stating that the search engine setting was enforced by the network administrator. Anyway, after deleting all of the “profiles” in the Profiles pane, the search engine enforced setting was released, and I was able to reset it to the default of Google (so much for eliminating adware…). Interestingly, once the profiles were all removed, the Profiles pane disappeared from System Preferences.

The insidious part is that there was also apparently a startup .plist that installed a new copy of the profile; I'm guessing that is the reason why I saw the same profile installed 8 or 9 times (once for every reboot since the malware had been activated). I only discovered that because I decided to install and run Malwarebytes, which I have to say did its job in this case, and for free at that (they charge for continuous monitoring or something, but the free version is perfectly adequate for detecting and removing malware). Malwarebytes was able to detect and remove the malicious .plist, and I'm reasonably confident that it was purged from the system entirely.

Not trying to sound like a shill for Malwarebytes here, but I was actually pretty impressed. I wouldn't pay for it myself, but I can see paying for a subscription for someone who is less computer-savvy, if only so you don't have to spend time cleaning crap like that out on the regular.
The ”Profiles” preference pane is legit for sure and can be used by organizations to set up configuration profiles on the computers. It is true that the pane isn't visible when no profile is present, so nothing fishy about that part at least.

I also had to remove a dodgy profile from there on a person's computer, so I recognize what you describe.
While it is possible to clean out the other malware stuff usually residing in ~/Library/Application Support and other locations the MalwareBytes software makes that process quick and easy. That is if it manages to detect all the bad stuff, but I guess they're trying to keep up with the malware creators.
 

farewelwilliams

macrumors 68020
Jun 18, 2014
2,450
10,603
I'm not saying your statement isn't valid, but at the same time it'd be a poor decision to disregard the data and not do some sort of malware scan on your Mac.
i've only installed software from the app store and only big name software (like Adobe, Foundry, etc...) outside the app store. never really done malware scans on my current MBP.

i'm sure there were some malware apps that snuck into the app store once or twice, but usually Apple has been quick to respond to those threats. not worth installing real-time anti malware scanning apps on my machine.
 
  • Like
Reactions: Timothy Leo Crowley

H3LL5P4WN

macrumors 68020
Jun 19, 2010
2,478
2,679
Pittsburgh PA
i've only installed software from the app store and only big name software (like Adobe, Foundry, etc...) outside the app store. never really done malware scans on my current MBP.

i'm sure there were some malware apps that snuck into the app store once or twice, but usually Apple has been quick to respond to those threats. not worth installing real-time anti malware scanning apps on my machine.
So you're also saying you don't visit any websites? You could be on Mac Rumors (for example) and if their ad network happens to have been compromised... GG.
 

farewelwilliams

macrumors 68020
Jun 18, 2014
2,450
10,603
so you think this third party software is going to protect you from something that is able to bypass an ad blocker, safari security, app sandboxing, and Apple's gatekeeper? that's called a zero day vulnerability and no $50 software is going to save you from that.

i'm done. see ya.
 

macduke

macrumors G4
Jun 27, 2007
10,666
14,267
Central U.S.
My grandpa's Mac was somehow hacked recently. He says he didn't do anything, but said he may have clicked on a popup that said there was a problem with his computer.
 

Unregistered 4U

macrumors 6502a
Jul 22, 2002
865
466
Are they talking about MacKeeper and the like? (i.e. 'apps' that are actually legit and you have to install them yourself, but they're spammie and intentionally difficult to delete?)
Yeah, they have to include those in the number to make it more impressive. The only “dangerous” one on their list is not even on the chart shown... it’s down at number 30. Come to think of it, malwarebytes utility doesn’t even apply to letting tech challenged family members use your computer, because if you don’t give them admin rights, they can’t install anything anyway.

Actually, doesn’t macOS ship by default with certain permissions disabled (permissions that most of us may have enabled a long time ago)? I’m wondering if your average person is at any risk at all... I may have to check this.
it'd be a poor decision to disregard the data and not do some sort of malware scan on your Mac.
It’s not likely a poor decision for anyone in these forums as they’re more than likely the type to see an “INSTALL ADOBER FLASHINGS” pop up and dismiss it. And you have to remember, this is NOT a list of “folks that got pwned”, this is “folks that saw the pop up even if they dismissed it and it never caused any issues”.
Mac users need to get off their high-horse and realize they are vulnerable. Very vulnerable.
All users are vulnerable by precisely the same vector. If you’re the type to download executables from random sites and run them because they promise “How to pick lottery numbers” or “Pictures of film star”, there’s NOTHING that can protect you. You could have your personal security guy sitting in a seat next to you telling you “Sir, I don’t think you should do that.” but it won’t help if you’re the type that’s gonna do it anyway.
and if their ad network happens to have been compromised... GG.
You get a lot of adware that annoys you, opening new tabs that you don’t want, maybe a few .dmg’s and .exe’s downloaded that you need to trash. Alert me when there’s an actual remote exploit that doesn’t require user intervention.
- - Post merged: - -

My grandpa's Mac was somehow hacked recently. He says he didn't do anything, but said he may have clicked on a popup that said there was a problem with his computer.
Whenever someone says they didn’t do anything, they absolutely did something (that they, unfortunately consider as ‘nothing’) :)

”The grass on my iMac’s wallpaper looked a little dry, so I watered it. But, I water all my plants all the time, so that’s nothing odd to report.”
 

NickName99

macrumors 6502a
Nov 8, 2018
544
1,648
My grandpa's Mac was somehow hacked recently. He says he didn't do anything, but said he may have clicked on a popup that said there was a problem with his computer.
He should use an ad blocker, if for nothing else to prevent malware.
 

CarlJ

macrumors 68040
Feb 23, 2004
3,628
5,687
San Diego, CA, USA
Just cleaned out a system that had malicious profiles installed the other day. There is a pane in System Preferences called “Profiles” that contains a bunch of, well, profiles. It's normally not visible, and I'm honestly not sure whether it's a legitimate pane or something installed by malware. In any case, it somehow allows the OS to control certain aspects of various applications; in this case, it set the default search engine for Google Chrome to some adware site. Attempts to change that setting in Chrome failed, with Chrome stating that the search engine setting was enforced by the network administrator. Anyway, after deleting all of the “profiles” in the Profiles pane, the search engine enforced setting was released, and I was able to reset it to the default of Google (so much for eliminating adware…). Interestingly, once the profiles were all removed, the Profiles pane disappeared from System Preferences.
Thanks, that's quite helpful. I may try Malwarebytes just out of curiosity (I don't expect it to find anything - actually I expect it'll get all excited about finding some cookies).

The profiles sound similar to Apple's MDM facility (mentioned here), which is intended to be used for enforcing corporate policy on company-owned machines (to prevent employees installing software, visiting inappropriate sites, etc.). Sounds like the malware is (mis)using that or something similar. It's the same facility that a number of software companies have been getting in trouble for using lately (for, e.g. enabling parental control software on customer machines rather than company-owned machines).
 

TheSapient

macrumors regular
May 26, 2017
121
119
Anecdotally, my work unit has ~40 computers, 5-8 being Macs at any given time. IT will shut off any computer when it detects malicious activity. The only instance of this happening in years was a Mac, just this last month. 10 years ago, we'd have a couple problems per year, and almost always PC's. Mostly, I think security has gotten much better all around.
 

CarlJ

macrumors 68040
Feb 23, 2004
3,628
5,687
San Diego, CA, USA
Whenever someone says they didn’t do anything, they absolutely did something (that they, unfortunately consider as ‘nothing’) :)
In a different lifetime, the company I worked for installed our accounting software at a movie studio. It ran on a Unix system, and multiple users could connect via serial terminals, or using their PC's (communicating over serial port) and a terminal program I'd written. The studio was having terrible problems with my terminal program dropping characters on their PCs, and we grilled them on what else they may have installed on the PCs, and they insisted there was nothing out of the ordinary. So, we scheduled a trip and drove two hours to the studio. Yep, found that the PCs had special IBM networking cards installed in them, with software for accessing their corporate mainframe, and these cards were sucking up all the processor cycles and interrupt processing. And they acted surprised, "no, that's completely normal, everyone uses that". (I don't recall how the situation resolved - special serial cards with 16550 UARTs, which had a 16-byte hardware buffer, would have helped, but wouldn't be a guarantee that it'd work - they may have just bought Wyse terminals to sit next to the PCs.)
 

Freeangel1

macrumors member
Jan 13, 2020
50
34
all this time I use macOS because of safe and secure web browsing. Now Windows 10 seems to be safer
Not a good selling point going forward for the Mac. Especially when it is loosing OS Marketshare and Very Pricy to buy their new laptop and especially the Mac Pro
 

ScooterComputer

macrumors regular
Jul 28, 2011
159
107
The real weakness here is not the Mac, but the user.
Users are the real target, getting lured to install these malware apps on their computers.
Just avoid going into porn sites and weird sites, and you’ll be safe.
And therein is the real REAL problem. Believing this can only happen to those people.

I've seen these malware installers on all kinds of sites that "normal" people would not likely say are "weird". The most prevalent (currently) seem to be sites that offer PDF manuals or books. The bad guys have figured out that people often go searching for manuals and books online, and, apparently, people go searching for manuals and books online quite a lot! It is the new "pirating a movie", methinks. So… is it "weird" that you're downloading a Kubota tractor maintenance manual off a website with a .ru TLD? To me? Yeah. To you, Amazing Iceman? Probably. But to my 75 year old father? He searched, they had it, why not download it? Oh, and it is in a DMG… that if he double clicks on it, it opens and tells him he needs to install Adobe Acrobat to open the manual and helpfully offers to do that? That's "computer", so he does. You or I… no… we know better. But it isn't weird at all to him. And that's the level we're dealing with.

Guess what, dear Dad lost his $3000 27" iMac account Admin privileges. He can't install anything now. But Apple is still making every default first log-on user with Admin privileges!

Have any of you tried to operate a Mac recently with only Standard User privileges?

(Here's a hint: go download Privileges by SAP; it is a nice app to have in the arsenal.
https://github.com/SAP/macOS-enterprise-privileges )
 
  • Like
Reactions: CarlJ

djgamble

macrumors 6502a
Oct 25, 2006
810
277
Actually, doesn’t macOS ship by default with certain permissions disabled (permissions that most of us may have enabled a long time ago)? I’m wondering if your average person is at any risk at all... I may have to check this.
Yeah I think root's disabled by default, only signed code can be executed (regardless of who you are) and all apps need permission to access HD locations outside the sandbox.

IMO tricking somebody's the only way you're gonna get past that and even then, you'll have to get past Apple being like 'DO NOT DO THIS!!! THERE ARE BETTER WAYS... DOES THIS APP FROM AN UNIDENTIFIED DEV **REALLY** HAVE TO ACCESS YOUR SYSTEM FILES AND HAVE ADMIN/ROOT PERMISSIONS?'

The only issue I have is that all the security steps almost encourage people to leave their door unlocked. I mean I know some older people who use their Macs for basic needs and don't use passwords because they can't remember them. Given there's no root user + unsigned code and unidentified devs are blocked I question how much damage you can do even with the admin password.
 
Last edited:

ghostface147

macrumors 68030
May 28, 2008
2,886
2,294
Ah the RISC days when no one would program maliciously for that instruction set. Granted it was a much smaller market back in those days.
 

macduke

macrumors G4
Jun 27, 2007
10,666
14,267
Central U.S.
He should use an ad blocker, if for nothing else to prevent malware.
Yeah, I cleaned stuff up but I should install that for him. It's one of those things that I set up when I first get a computer and then I don't even think about it. Could have swore I installed it for Safari but maybe he installed Firefox, I can't remember. But it's also possible he could have gotten it from their Windows laptop which he swaps external HDDs with that and the Mac. My grandma still uses a PC because she couldn't get used to the Mac, although she uses her iPad for like 90% of the stuff she does on a computer and had no trouble learning that. I give my grandpa my old Macs and he edits family videos and old photos and does research on our family tree and history in general.
 
  • Like
Reactions: NickName99