For decades, Apple built much of its marketing for its Macintosh computers around the idea that they’re safer to use than PCs running Microsoft’s Windows operating system. But in a remarkable appearance in court last week, Apple’s top software executive admitted that malware is a serious issue for Mac users, and that levels of malware on Macs are at “unacceptable” levels.
In doing so, Apple Senior VP Craig Federighi laid waste to the myth that Macs aren’t as susceptible to malware, an image carefully groomed over the years. It’s a notion that Apple continues to push even now, as Forbes contributor Barry Collins pointed out, with language on its web page for the current macOS 11 that touts it as keeping “your system safe from malware.”
It’s worth noting that, after Federighi’s court appearance, Apple put up a new section on its website titled “Why Mac” to promote its latest desktop and notebook computers. The copy briefly mentions “built-in” protection against viruses and malware, but the emphasis is more on privacy, which has become one of the company’s most emphasized bullet points.
Federighi was testifying in the trial over Apple’s removal of Epic Games’ Fortnite title from the iOS app store. Apple’s rules forbid an app from telling users that they could save money by going elsewhere to make in-app purchases, and Epic deliberately violated that rule in a bid to force a court case. Epic is alleging that Apple is behaving like a monopolist with its App Store policies, while Apple says it takes a cut to continue to provide curation services that keep its customers safe.
But no one expected Federighi to cut the Mac off at the knees in the way he did. The point he made was this: The Mac has a problem with malware, and if our mobile iOS was as open a platform as the Mac, the situation would be even worse.
Which begs the question: How bad is it?
Pretty bad, according to Patrick Wardle, an independent security researcher who specializes in macOS and is the author of a book called “The Art of Mac Malware.” He also develops a line of free, open-source security tools called Objective-See.
“The problem is worse than the majority of people realize,” Wardle said. He described Apple’s past marketing messages that “Macs don’t get malware” as being “very dishonest.”
That Macs are not immune to malware is not really news. Technically proficient users of Apple’s computers have known this for a long time. What is more correct to say is that there is a lot more malware in the world targeting Windows PCs than Macs. Wardle said that some of that has to do with the historically smaller installed base of Mac systems; Windows is a bigger and thus a more lucrative target.
On Monday, Forbes cybersecurity writer Thomas Brewster reported on a flaw in macOS Big Sur that could allow hackers to bypass Apple’s own antimalware features. There are indications the bug is being exploited now. The macOS 11.4 update released Monday fixes the issue, and if you’re a Mac user who has not updated yet, you should do so right away.
Apple and its fans will say that the macOS’ architecture makes it more difficult for malware to take hold on a Mac. But the bottom line is that there’s a lot more malware aimed at Macs than there used to be, and it’s growing more sophisticated.
“There are millions more Mac users now, so hackers are targeting Macs more,” Wardle said. “What’s interesting is that half the malware samples targeting Macs are samples that worked before on Windows. The creators of malware are porting their Windows malware to the Mac.”
Apple, which is the only entity that would really have the big picture on Mac malware, doesn’t talk about it. Apple didn’t respond to a request for quantification of their executive’s revelation.
But for evidence, take a look at the 2021 State of Malware, this year’s release of an annual report produced by Malwarebytes, which makes security software for Windows, Mac, Android, iOS and Chrome OS. The data was collected during 2020, and while it shows a 37% dip in the prevalence of Mac malware compared to the previous year – in which the pace of Mac malware outran that of Windows – the worst category of malware jumped by 61% in 2020.
But there is some good news. Hardcore malware was only a small fraction of what was seen last year; adware, which subjected users to intrusive ads, and potentially unwanted programs (PUPs), which are unnecessary apps that are bundled with other software, made up the bulk of incidents in Malwarebytes’ 2020 report.
There also was an increase in the amount of malware targeting businesses, which Wardle credited to Apple making inroads into the corporate world.
Another reason that Macs are a growing target for evildoers is that most Mac users, having bought Apple’s spin, don’t run security software, Wardle said. That makes Macs easier to get into.
While he credits Apple with recent changes to the macOS that make it more secure, he said users can’t rely on that exclusively to protect them. And, the macOS still has its share of flaws, one of which was serious enough to have bypassed the software’s built-in antimalware features.
“A lot of Mac users are naively overconfident of the security of their systems,” Wardle said, likening the situation to life in a crowded city (Windows) versus that in the serene countryside (Macs).
“The house in the city has bars on the windows and an alarm system, and they still get broken into,” he said. “With the country cottage, the door is wide open. In this case, it’s like the suburbs are creeping into the countryside.”
When asked what Mac users should do in the wake of Federighi’s sworn testimony, Wardle ticked off the list of familiar recommendations: Make sure you’re running the latest version of macOS and all the security updates release for it; don’t download illicit software from sketchy websites or torrents; don’t click on links or attachments in emails you weren’t expecting.
And he adds that all Mac users should do what most Mac users do not: Install antimalware apps. Wardle recommends looking for products from companies that do security research and publish the results, such as the aforementioned Malwarebytes.
I have to admit, I was one of the Mac users he’s talking about. I kept the free Malwarebytes software on my Macs, but it doesn’t run in the background, guarding against poisoned downloads or websites, or watching for suspicious behavior. I just ran a malware scan every two weeks or so. But I’m switching to a full-blown antimalware package, and am currently testing Avira, a free app. I’ll report back in a future Release Notes issue.