We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

A look back at 12 years of Mac malware

Published January 1st, 2013 at 10:32 PM EST , modified January 1st, 2013 at 10:32 PM EST

It has been 12 years since the advent of Mac OS X. There had been some malware for older Mac systems before that point, but none of those worked on Mac OS X. This “reset the clock” on the Mac with respect to malware. Further, the new Unix base of Mac OS X promised greater security than older versions of the Mac OS. So how has that promise stacked up at this point?

New malware appearance by year

New malware appearance by year

Initially, malware remained fairly rare. The only malware in existence in 2001 belonged to the one specific family that actually managed to survive the transition to Mac OS X: Microsoft Office macro “viruses.” These became fairly prevalent among Microsoft Office users for a while, though they were never particularly dangerous.

It wasn’t until 2004 that the first truly new Mac OS X malware appeared. However, even then, malware remained nothing more than juvenile pranks or tentative poking at newly-discovered vulnerabilities that were soon closed in response. The first widespread malware didn’t appear until late in 2007, when the RSPlug malware appeared. Also known as DNS Changer, this malware affected machines up until late in 2011, when the gang behind it was apprehended and the malicious servers it used were eventually shut down.

In 2009, another widespread trojan appeared, masquerading at first as a “pirated” copy of Apple’s iWork software and later as other stolen software. It became fairly widespread, but since it really only affected people who were trying to illegally download stolen software, it was not considered to be a very significant threat by many. Most, including me, considered it to be a good lesson in appropriate online behavior.

It wasn’t until 2011 that malware started to become truly dangerous. First there were the initial probings into the Mac world by the Blackhole developers, who are now marketing their malware kit in the crime world with a great degree of success. Next appeared the MacDefender family of malware, which used hacked web sites to tell users that they were infected with malware and tricked them into installing it to “remove” the malware. This malware was so pervasive that it is the only malware that I have ever encountered “in the wild,” and not just once. I personally managed to find it not just once, but three times, and the first time I wasn’t even looking for it. MacDefender faded into obscurity before the end of the year, but in late 2011 the same hackers behind MacDefender brought us the first variants of Flashback, which at the time masqueraded as an Adobe Flash installer. All of this malware was entirely financially-motivated.

In 2012, Mac malware went through another transition. First, in February of 2012, Flashback transformed from a simple trojan into something far more dangerous. It took advantage of Java vulnerabilities to install itself as a “drive-by download” from hacked web sites. No user interaction was required, and although some variants did ask for an administrative password, users who were suspicious and did not supply that password were infected anyway through different means. Once Flashback’s technique became public knowledge, a flurry of new malware appeared that took advantage of the same vulnerabilities. Although those vulnerabilities were closed shortly after Flashback began using them, many people do not update their systems properly, and as a result, new malware continued to take advantage of those vulnerabilities as late as the end of November, nearly a full year later. Malware of other types also proliferated in 2012, but most of the malware from 2012 was highly-targeted. More than 1/3 of all of the malware from 2012 was used to attack specific groups in Asia, mostly Tibetan human rights groups and supporters of the Dalai Lama.

Overall, just by looking at the numbers, there is certainly cause for concern. As you can see from a chart of malware appearance by year that I created from my list of known malware, of all the Mac malware that has appeared over the last 12 years, almost 1/3 appeared in 2012, with 2011 in second place with 1/6 of appearances. If this trend continues, Mac users will need to take security far more seriously than they do now. Worse, the hackers behind the MacDefender and Flashback malware families – two of the most successful and prevalent malware programs on the Mac to-date – are still on the loose, and are undoubtedly working on their next big project as I write this.

On the plus side, spikes in the malware count have happened before. In particular, the 2006 spike seen in the graph above can be attributed to the discovery of several vulnerabilities that were exploited by multiple malware programs before those bugs were fixed. 2012 saw a very similar situation: several vulnerabilities in Java were exploited by a number of copycat malware programs following Flashback’s success. That could have caused an artificial spike in the numbers, and it’s entirely possible that 2013 will see a much lower malware appearance rate with those vulnerabilities closed and Apple distancing itself from Java.

In addition, it’s important to keep in mind that numbers don’t tell the whole story. For example, one might look at the data for 2006 and conclude that that was a very dangerous year for Mac users. In reality, however, most of the malware that appeared in 2006 was quite rare and not particularly dangerous. Several were only released as proof-of-concept malware, and never found “in the wild,” infecting real-world computers.

As of today, all Mac malware is either extinct or cannot infect a properly-updated machine. Although there are situations that can lead to infection, they require dangerous behavior on the user’s part, such as not updating their systems or downloading software from bad sources, such as through most torrent applications. Right now, anti-virus software is still not necessary for most users. Will that change in 2013? It’s too soon to say. It’s certainly evident that the Mac is becoming a tempting target for malware developers, but Apple’s recent focus on security suggests to me that there probably won’t be much to worry about in the near future, barring the discovery of another vulnerability.

Tags: , ,


  • Joseph says:

    Thomas, as a newer mac user, I appreciate your site and insights. Thank you very much! I can’t tell you how many windows machines I have cleaned up and wanted to move to a secure platform where many tasks just flat out work. Again, thanks for your column!

  • Brittany D says:

    Thanks for the info! I was wondering about mac malware. I’m a new user, too, and found out that Sophos antivirus screwed up my system so I had to reinstall OS X. I’ll stick to a manual-scan AV from now on even though I don’t download files usually unless they are jpg or video files or PDF’s. So hopefully I won’t get malware.

  • Brent Wahl says:

    Wife was on an iPAD 2 last night and clicked on what looked like an URL link inside an email message (apple mail att account) It than took every email in our contact list and spammed them with the same fake link.

    Not fun for all our friends family coworkers

    all Apple devices at home non with windows installed (iPhone iPad apple TV iMAC iPad)

    Doing a norton iantivirus scan on the iMac but not sure what else to do for iPad???

  • Steve B. says:

    Thomas, assuming that an individual has Java disabled in his/her browser, is it safe to say that the ONLY remaining malware threats out there for Macs are Trojans? And, that the actual way you encounter this threat is:

    1. You are presented with some kind of dialog box or window
    2. That box/window asks you to fill in information and click OK
    3. So, you have to be complicit in the Trojan’s attack

    In conclusion, is it safe to say that if you:

    1. Disable Java in your browser
    2. And just close (using the red “x”…I make this distinction, because programmers can program a “cancel” button to signal “OK”) the dialog box/window mentioned above without filling out any information or clicking OK

    Then, you’ll be safe from Mac malware? (For the time being?)

    BTW, another great article…nice work.

    • Thomas says:

      There are two basic ways that Macs get infected. One is the trojan. Currently, all known (and active) trojans are protected against by Mac OS X through XProtect, and Gatekeeper should protect against almost any unknown trojans. The other is through vulnerabilities of some kind. These are impossible to predict. Vulnerabilities can happen in any third-party software or even the system itself. Properly updating your system and all third-party software can go a long way to avoid those kinds of problems, but cannot guarantee to prevent them entirely.

  • Steve B. says:

    As a percentage of total OS X malware out there, what number would you say trojans are? 80% ? 90% ? More?

    • Thomas says:

      Depends on how and what you count. Out of recent, potentially still-active, malware, by my count, about 58% of the malware families are trojans, the rest rely on Java or Microsoft Office vulnerabilities. (All those vulnerabilities have been patched at this point.) That’s not a hard number, though, as it not entirely certain which malware families are still in active distribution and which or not.

  • Someone says:

    Just wondering… how big/dangerous does malware have to get to receive more than just “{insert name} malware discovered” on your blog?

This post is more than 90 days old and has been locked. No further comments are allowed.