Macs are really no more secure than a PC, but for many years there just weren’t as many out there because of the expense of the hardware and other issues. They've historically been a much less popular choice among both consumers, enterprises, and hackers alike.
The PC attack surface is much wider; therefore, criminals develop malware that works on PCs because the payout is much higher. James Plouffe, lead solutions architect at mobile-security company MobileIron, said there are, however, a couple of oft-overlooked things that also protect Macs.
First, Plouffe said, "MacOS is actually BSD Unix derivative. Granted, it's heavily customized but this meant that, unlike Windows (which had a long tail of viruses reaching back to the days of MS-DOS), bad actors had a lot more heavy lifting to do to be able to attack macOS."
Apple was also a trend setter in that they were, "The first major OS vendor to bring the concept of "app sandboxing" the desktop. There's also an element of sandboxing available in Safari: each "tab" runs as its own process and has it's own sandbox. It's not a panacea, of course, but it can go a long way toward preventing infection," Plouffe said.
Still humans remain the weakest link. In nearly one-third of breaches, "Attackers were able to effect a compromise without having to rely on getting their code running. I think you'll actually see that number grow, because techniques like social engineering and phishing are more durable and-- more importantly-- portable across platforms,” Plouffe said.
David Dufour, senior director of engineering at Webroot, said, "There hasn’t been a significant increase in Mac-specific malware but we are seeing a rise in cross platform threats such as spyware, adware, and potential unwanted applications on Macs."
Thomas Reed, director of Mac offerings at Malwarebytes
"Many of these incidents are occurring through exploits in third-party solutions from Adobe, Oracle’s Java and others, providing a mechanism for delivering malicious software and malware," Dufour said.
The cause for the rise, said Dufour, is that "Attackers are adept at using exploits in third-party software to deliver malicious programs to Macs and other operating systems."
Mikhail Kuzin, malware analyst at Kaspersky Lab, said Mac has seen a rise in AdWare because it’s an easy way for software developers to earn money.
"The most popular class of AdWare for Mac is now third-party installers. These programs allow those using it for distribution to include monetization of advertisements, showing some additional offers to the user during the installation process."
One of the biggest security risks specific to Adware is that sometimes these additional offers install without an end user’s approval. "Often times, even when the approval is actually needed, the user may not notice the corresponding text with a checkbox, as it is usually extremely small and difficult to read. Instead, they just click 'next,' so a PUA is then detected," Kuzin said.
Chester Wisniewski, Sophos senior security adviser and principal research scientist
Chester Wisniewski, Sophos senior security adviser and principal research scientist, said, "The opportunistic malware problem on Macs is definitely increasing."
Unlike Windows, which has hundreds of millions of pirating that aren’t getting updates, there is less of that in the Mac world. Wisniewski said, "Apple makes it easy to keep up to date."
Mac threat ignored
Still the Mac threat has been largely ignored for a long time, but Mac users are starting to understand the need for more protection.
On the truly malicious side, there has been an uptick in password stealing areas. "Mac Trojans that try to take your keychain to access corporate credentials, any and all credentials stored in the back keychain. It's an opportunistic publicly known malware against Macs," said Wisniewski.
"The Apple specific malware is very different from what we see in the Windows world. There is very little ransomware. There was KeRanger ransomware for Mac, but that wasn’t very widespread. The vast majority of what we see are potentially unwanted application (PUAs)," Wisniewski said.
Thomas Reed, director of Mac offerings at Malwarebytes, agreed that the biggest threat to Macs is with the unwanted applications. "In my eyes, there are three different categories. Malware, which is outright malicious. Adware, which is more scamming, less ethical, and the potentially unwanted programs (PUPs), which are not detected as malicious but none the less things you don’t want."
Even though the number of malware for Macs was a total of only seven different malware families last year, which Reed said is on par with previous years, there has been a big explosion in the adware and the PUPs.
"There has been a lot of adware mostly belonging to Ironcore, Cross Rider, MacKeeper, and Advanced Mac Cleaner. These also affect machines in the Windows world," Reed said.
While malware is most harmful, Adware is more of a scam toward the advertisers. "They get paid by advertising companies for putting ads in the user's face. Injecting them into websites or replacing ads or redirecting the user to different search engines," Reed said.
On the surface, these are not really harmful to the user or computer, but they can open up security holes. "They can create security vulnerabilities. A few years ago, there was a vulnerability in Mackeeper where they could create a custom URL so that if the user clicked it would open the URL in Mackeeper and run custom code in that URL. After that vulnerability was discovered it was being used to deliver malware onto Macs," Reed said.
"Mac is not significantly or implicitly more secure," said Reed. "It has good security features, but it is not bullet proof. It's more security by obscurity. Most are targeting Windows where the big money is. The numbers really are a problem for Windows, but Macs are not bullet proof."
Just recently, the first Mac-specific malware of the year, Fruitfly, was discovered. "It looks like it’s been around for a while. We think it traces back to at least 2014 probably earlier than that, but we are not sure. We also found a piece of malware for Windows that looks similar. It can run in Linux as well. This is a more sophisticated threat than we’ve seen on the Mac in a while," Reed said.
Whether using a Mac or a PC, enterprises need to remember that in a targeted attack, the risks are equal. "Whether it’s a nation state or a malicious actor, if somebody is after your stuff, they are going to take over your system whether it’s one or the other," Wisniewski.
Enterprises should take steps to minimize their risk of Adware. "The first step is to be vigilant, and carefully inspect what you’re installing and read all fine print. Educate yourself or your employees on how to recognize junk before you agree to download it," Dufour said.
Installing antivirus software will also help to mitigate the risk of Adware. "Traditionally, anti-virus software is built to detect and remove viruses and other serious malware, but some do protect against Adware and PUAs. Anti-virus technology will further bolster protection against Adware, especially when end user education falls short," Dufour said.