'Stealers' Are an Increasingly Common Mac Malware

[MacRumors]

macOS stealers are becoming an increasingly common type of malware on the Mac, according to the 2025 State of Malware report that Malwarebytes shared this week.

Most Mac malware has historically been VSearch adware or the Genieo browser hijacker, but more malicious malware is on the rise, and 2024 saw a new wave of information stealing malware hit the Mac.

Stealers are designed to locate credit card information, authentication cookies, cryptocurrency, passwords, and other valuable data that criminals can use to make money.

Malicious apps that steal information are typically installed when a Mac user searches for a legitimate software product and then uses a malicious Google or Bing search ad to download an infested replica version of the software they sought. Attackers are able to deliver targeted ads for malicious software based on location, operating system, software, and search terms.

Atomic Stealer (AMOS), an information stealer that surfaced in 2023, is used regularly, and a version of AMOS referred to as Poseidon has becoming increasingly popular with criminals. Poseidon is advertised as being able to steal cryptocurrency from more than 160 wallets as well as passwords from web browsers and select password managers. Poseidon downloads have masqueraded as legitimate Mac apps like the Arc Browser, tricking unsuspecting Mac users into installing the malware.

Malwarebytes warns that macOS stealers like Poseidon allow criminals to access sensitive resources, steal credentials, and create convincing social engineering attacks.

To avoid this kind of attack, it is important to verify where software is being downloaded from, ensuring that it comes from a legitimate developer and not an imitation website.

Article Link: 'Stealers' Are an Increasingly Common Mac Malware

 

[FoxyKaye]

This *just* happened to my mom. <facepalm>

 

[WilliApple]

Macs dont get virus

(I hope you guys know I am joking)

 

[icanhazmac]

are typically installed when a Mac user searches for a legitimate software product and then uses a malicious Google or Bing search ad to download an infested replica version of the software they sought

Ain't "side loading" grand?

 

[fathergll]

Macs dont get virus

Correct.

Source; Apple

 

[green_diyos]

This is why non-nerds should replace their devices when they cease receiving OS version or security updates.

If you're on a Mac that cannot run 2022 macOS 13 Ventura or newer then replace it with any Mac with Apple Silicon.

In 2025 Intel Macs are only suitable for export to poor countries where data security is as valuable as their bank accounts.

 

[Arislan]

So still a social engineered lack of knowledge attack. Got it.

 

[v0lume4]

Ain't "side loading" grand?

This is the way it’s been done for 20+ years.

 

[icanhazmac]

This is the way it’s been done for 20+ years.

Really? Wow, I wasn't aware.

As the popularity goes up so do the scams.

 

[JitteryJimmy]

This *just* happened to my mom. <facepalm>

My mom doesn’t get admin rights.

 

[Pakaku]

Malicious apps that steal information are typically installed when a Mac user searches for a legitimate software product and then uses a malicious Google or Bing search ad to download an infested replica version of the software they sought. Attackers are able to deliver targeted ads for malicious software based on location, operating system, software, and search terms.

So... just more reasons to use an adblocker. Especially if ad providers aren't going to be responsible about what they show, which has been a problem for far longer.

 

[coolfactor]

No mention of how Gatekeeper helps with malware detection and removal?

Gatekeeper and runtime protection in macOS

macOS offers the Gatekeeper technology and runtime protection to help ensure that only trusted software runs on a user’s Mac.

support.apple.com

 

[theorist9]

Malicious apps that steal information are typically installed when a Mac user searches for a legitimate software product and then uses a malicious Google or Bing search ad to download an infested replica version of the software they sought.

When I'm searching Google for a company to do a direct download of the software, I never click on the advertised version of the result, since I see no reason to supply Google additional advertising revenue. Instead, I go to the direct link.

But I wasn't aware that the advertised results, which are typically posted above the top hit, could be spoofs. Here's a typical Google result, where the sponsored result is above the actual search result. Is MR seriously saying that, if I were to click on the "Sponsored" link to Adobe, I risk being taken to a malicious website instead of the real one? I have a hard time believing that Google would be so incompetent as to let that happen at the very top of their most important product.

Or are they referring to Google-generated graphics-based advertisements that appear on various webisites? I've certainly seen those, but never when I'm viewing a Google search result.

 

[waltman]

The report is not really relevant unless it is solely based on Macs running Sequoia.

 

[jimscard]

This is why non-nerds should replace their devices when they cease receiving OS version or security updates.

If you're on a Mac that cannot run 2022 macOS 13 Ventura or newer then replace it with any Mac with Apple Silicon.

In 2025 Intel Macs are only suitable for export to poor countries where data security is as valuable as their bank accounts.

Don’t disagree with the first point - non-nerds should definitely replace devices when they cease receiving security updates.

But in 2025, many Intel Macs are still as secure as ever - they still receive OS version and security updates, etc.

 

[sw1tcher]

Ain't "side loading" grand?

About as grand as not sideloading.

From earlier today. Malware infested apps found on Apple's very own App Store

Malware With Screen Reading Code Found in iOS Apps for the First Time

Malware that includes code for reading the contents of screenshots has been found in suspicious App Store apps for the first time, according to a...

www.macrumors.com

 

[Kirkster]

My mom doesn’t get admin rights.

Hahahah…. Why didn’t I think of that. My mom clicks on everything. I have spent the last 4 years telling them to not click on anything. And if you get a notice from UPS/USPS/Walmart/etc saying you have a package go to the website. 98% of the time it is a scam.

 

[bousozoku]

The report is not really relevant unless it is solely based on Macs running Sequoia.

Why, is Sonoma completely safe and Sequoia isn't?

 

[andiwm2003]

Kinda confused. Don't non expert people download for the apple app store? And if you download form other sources then you are usually an expert and know about this stuff. So there shouldn't be an issue. Or do non expert people think they are experts and know all about malware and then download from some random site that they think they fully understand and that they can handle and fix malware. Really confused...........

 

[picpicmac]

Don't non expert people download for the apple app store?

They should.

But, apparently there are people who just use a Google search instead and they don't know the difference between an embedded Google ad and a link to a legitimate software repository.

 

[segfaultdotorg]

These young hackers can just use Apple Intelligence to write their viruses for them. Back in my day, we had to ask Clippy in Microsoft Word for help.

 

[CarlJ]

So... just more reasons to use an adblocker. Especially if ad providers aren't going to be responsible about what they show, which has been a problem for far longer.

And always, always, go find the original, official, source for the software and download from there. Not from some ad on the side of the browser window.

 

[sigmasirrus]

When I'm searching Google for a company to do a direct download of the software, I never click on the advertised version of the result, since I see no reason to supply Google additional advertising revenue. Instead, I go to the direct link.

But I wasn't aware that the advertised results, which are typically posted above the top hit, could be spoofs. Here's a typical Google result, where the sponsored result is above the actual search result. Is MR seriously saying that, if I were to click on the "Sponsored" link to Adobe, I risk being taken to a malicious website instead of the real one? I have a hard time believing that Google would be so incompetent as to let that happen at the very top of their most important product.

Or are they referring to the graphics-based advertisements that sometimes appear to the right of the search results? I don't recall those claiming to be links to the company I'm searching for; instead those have peripheral or unrelated content.


View attachment 2479634

Yes. Google really is that incompetent and they don’t care. Eventually they may catch the malicious ad and block it. They do block a lot of them. But you don’t want to be the one they missed. That’s why ad blockers are necessary security software now. Also, in the DuckDuckGo setting a you can actually turn off ads. I guess they give you the option since they know a lot of people run ad blockers anyway.

 

[burgman]

Correct.

Source; Apple

Because the world is the same as when that Ad was made 20 years ago. The lengths some go…

 

[bigglow]

Don’t disagree with the first point - non-nerds should definitely replace devices when they cease receiving security updates.

But in 2025, many Intel Macs are still as secure as ever - they still receive OS version and security updates, etc.

Replacement cycles per platform

- Mac: 4 years
- PC: 5-6 years

Last Intel Macs were released in 2020. This makes Intel Macs unsuitable for purchase by non-nerds in 2025.

You cannot buy brand new Macs with M1 chips from them anymore.

OS Support

- macOS: >9 years
- Windows: 122 months

If anyone's budget does not permit them to buy any Macs with Apple Silicon then that person's data privacy isnt worth all that much.

Mind you I still use an Intel iMac and Intel MBP that I intend to replace when a larger screen iMac is released and MBP with silicon-carbon battery are released.