At long last someone other than an anti-virus firm has taken a look at Mac malware and come up with the disturbing finding that 2015 has been by some distance the worst year on record for malicious software aimed at the platform. According to the data gathered by Bit9 + Carbon Black, in terms of volume this year has seen more new malware than every year since 2010 combined, with even more attacks predicted.

The reasons this tide of Mac malware has grown so rapidly in 2015 is probably connected to the platform’s improved popularity in businesses and among high-value targets, especially company managers. and does it represent a meaningful threat to the average user?

Digital Apple

How much Mac malware is out there?

After what looks like a fairly strenuous effort, the company turned up around 1,400 unique and apparently ‘real-world’ samples in a ten-week study period from a wide range of sources. This sounds like a lot but the equivalent figure for Windows PCs would have been in the hundreds of thousands, depending on how the word ‘unique’ is defined (many samples being variants on the same malware). What matters more is how well defended Mac users were against the threats, how often they might encounter them and how many were subsequently infected. On that score, nobody knows.

Documented malware

Lamadai, Kltm, Flashback, LaoShu, Appetite, and Coin Thief are referenced in the report. Of those the Flashback Trojan of 2012 was by some distance the most successful malware attack on Macs ever recorded, infecting up to a million users using by exploiting a Java vulnerability. Some of the others are nation state attacks, probably written by Chinese cybercriminals to attack NGOs.


A key skill for any malware is what is called ‘persistence’, namely the technical tricks malware uses to stay on an infected system and it seems malware authors have adopted a fairly pragmatic approach based around seven basic techniques. We quote direct from the report:

  1. LaunchAgents — An OS X technique for starting programs
  2. LaunchDaemons — An OS X techniques way to start programs on a per-user or system-wide basis, used interchangeably with LaunchAgents.
  3. Cron job — Cron is a time-based job scheduler in Unix-like computer operating systems. Cron jobs are used to run scripts/programs periodically at fixed times, dates or intervals.
  4. Login items — The method to cause programs to run when a user logs in to an OS X account.
  5. Browser plugins — Code that runs in the context of a Web browser. They are known for adding additional functionality to browsers.
  6. StartupItems — Programs to run upon system startup.
  7. Binary infection — When one executable modifies another so when the original executable is run control is passed to the malicious code prior to the original code being executed.

The conclusion is that despite OS X’s Unix heritage, the malware isn’t deploying sophisticated Linux-like tools to infect Macs. “This lack of OS X malware biodiversity currently makes finding persistent malware infections easier than on Windows systems as there are fewer places than need to be checked,” suggested the authors.

The threat to businesses is real

This is the kicker – Mac OS X malware might not be sophisticated but it probably doesn’t have to be. Bit9 + Carbon Black offers no evidence for the contention that businesses are failing to defend Macs with the same care they use to for Windows PCs, but that is probably a valid contention all the same. As far as can be discerned from the outside, the market for Mac anti-malware products is much smaller than the market for Macs themselves. Beyond conventional security agents, endpoint security remains fairly limited on Macs compared to PCs. This now represents a major risk.

Carbon Black pushes its OS X process monitoring agent (which detects software behaviour rather than detecting known signatures) as the solution that offers businesses running Macs better protection, a sales pitch we’ll leave users to judge. The bigger message is that businesses using Macs should be running something and not simply assuming that the malware problem is something limited to PCs. The commercial world also needs to be aware of the growing number of security vulnerabilities affecting the platform.

“The pace of change has been staggering - our research found that in just this year alone, the amount of malware present in OS X samples is five times larger than in all of the previous five years combined,” said David Flower, EMEA managing director for Bit9 + Carbon Black.