While Mac users have enjoyed a computing experience largely free of viruses and trojans, the last year has seen a turning point in fortunes.
According to a new report, 2015 has seen more malware targeting Apple desktops and servers than the last five years in total. The report, published by IT security firm Bit9 + Carbon Black Threat Research team, analysed more than 1,400 unique OS X malware samples and found a flood of malware attacks this year.
"As big-picture trends from the data began to emerge, one data point struck the team as particularly noteworthy: 2015 has been the most prolific year in history for OS X malware," the research team said in its report. "In 2015 alone, the research found, the number of OS X malware samples has been five times greater than in 2010, 2011, 2012, 2013 and 2014 combined."
The report cited the growing popularity of Macs as an alternative to Windows as one reason behind the increase in malware targeting the operating system. More than ever before, Macs have entered the workplace which hackers could attack hoping to gain access to sensitive data.
"This rise in Mac OS X malware comes after several years of rapid OS X market share gains, with 16.4 percent of the market now running OS X, including expanding deployment in the enterprise," the report said. "This represents a growing attack surface for sensitive data, as 45 percent of companies now offer Macs as an option to their employees."
Some of the most common malware targeting OS X were: Lamadai, a backdoor trojan targeting a Java vulnerability; LaoShu, spam via undelivered mail parcels; Appetite, a trojan targeting government organisations; and Coin Thief, which stole bitcoin login credentials via a hacked version of the Angry Birds game.
The firm's analysis showed that most OS X malware used features of the OS such as LaunchDaemons/ LaunchAgents, login items and browser plugins.
“Malware more often resided in userland and leveraged persistence mechanisms that supported this as opposed to attempting to reside in kernel-land by writing custom kernel extensions,” the report said.
It said another twist in the analysis was that the team expected that, given OS X's roots in FreeBSD, adapting Unix/Linux malware would be common.
“However, based on this 10-week analysis, there does not appear to be much, if any, Unix-style malware brought over to OS X,” it said.
The report added that Apple introduced a new load command in OS X10.8, but 90 percent of OS X malware still used the old method, which made the malware much easier to spot. “Malware authors are not updating their malware to conform to the latest specifications by Apple.”
The report said that since OS X has until recently been largely ignored by malware and only rarely the target of advanced cyber-attacks, many enterprises have failed to implement the same safeguards and controls on OS X devices as they have for Windows machines.
“As OS X malware and targeted attacks have increased, this security gap has left many organisations exposed and unable to identify or stop infections. This reality has been compounded by the lack of OS X support from many endpoint security vendors and is a strategic vulnerability for organisations with large OS X deployments,” the report said.
“If your organisation is currently running OS X, it may mean that attackers are actively exploiting and targeting your systems. Most infections our sensors see are of the adware variety, however, we have noticed an increase in more sophisticated malware.”
James Maude, senior security engineer at Avecto, told SCMagazineUK.com that the increase in the popularity of Macs in the workplace and with individuals that is driving cyber criminals to create malware for OS X.
“This problem has been building for a number of years, but 2015 has been a real turning point in terms of the volume of malware. Our malware labs are increasingly seeing OS X variants of common threats, although still nowhere near the volume of Windows threats,” he said.
Mark James, security specialist at IT security firm ESET, told SC that from a malware writer's point of view there is no point in investing time and effort into a platform that is not going to deliver the results worthy of their initial investment. “Tag that alongside the worrying amount of users that have no software security to protect them thinking their platform is targeted less so therefore possess less risk,” he said.
Maude said the increase in popularity has been a driving factor, however it is not necessarily the case that it's easier to find flaws in OS X.
“It's more that until now very little research effort has been invested in the platform. Traditionally Macs have been seen as more secure due to the lack of reported vulnerabilities and malware, however following recent reports of Mac vulnerabilities, many organisations are beginning to question how secure OS X really is now,” said Maude.
James added that a lot of the attacks used so far on the OS X are not that sophisticated, “something that will certainly change once users catch on and start taking OSX malware as serious as Windows users."
The increase in the amount of malware didn't mean that features such as Gatekeeper on the Mac were useless.
“When configured on a stricter setting, Gatekeeper is good for filtering out many of the common malware threats, but users often ignore warnings or bypass restrictions with admin rights. Although it can't be relied upon for defence, it does have a part to play,” Maude said.
But he added that one issue Macs have with security is the lack of tools to manage Macs in a corporate environment. “This lack of resource gives users with admin rights the opportunity to install any software they want, therefore vastly increasing the attack surface and risk. Organisations need to treat OS X the same as Windows and introduce controls with privilege management and application control,” he said.
James said the way to protect against Mac malware is the same as Windows. “Ensure your operating system is up to date, make sure you have good quality, regularly updating, security software on your OS X endpoints and your users are educated on how and where these attacks happen. Data management and network monitoring will help flag anything that could indicate an early warning that something is going wrong."