The 7 Most Common Mac Malware Threats. By AiroAV

Authors: AiroAV Labs

May 27th, 2019

At AiroAV (a.k.a Airo), we define seven main categories of Mac threats, as our lab classify them. So, without further ado let us introduce you to them. It should be noted that some of the definitions are commonly used and are well known in anti-malware communities and others are the creation of our very own AiroAV labs which are based on countless encounters and incidents incurred by different types and diverse spectrums of malicious conduct.

The following classifications are made up of some well-known, annoying and/or unwanted Mac threats disguised as genuine OSX applications, however; some may apply to other operating systems too.

#1: Suspicious File

The AiroAV “Suspicious File” classification signifies that the applications or the software being downloaded or used is questionable, undesirable and/or unknown. This may be because it has a bad reputation (or no reputation at all), has received a number of user complaints or it behaves in a way that is not fully disclosed to or consented to by the user. AiroAV’s emphasis on “Suspicious” classification is largely on non-genuine intent or on the bad reputation of the application or software.

Applications or software that use questionable distribution tactics or sources and behave in such a way that forces the user to install programs, click buttons, call phone numbers or take any action that is not in the best interests of a user will also be classed as suspicious until it would be proven otherwise.

In some cases, AiroAV will class something as “Suspicious” while it is being analyzed on a solid suspicion that it is malicious with the aim to warn users of a potential threat and alert them to be more cautious until AiroAV is able to classify the potential threat more accurately.

Purple hat and sunglasses representing the word suspicious

Common Characteristics of Suspicious File:

The following is a (non-exhaustive) list of some behavioral examples and symptoms of “how ‘Suspicious files’ are likely to behave when evading, or attempting to infiltrate, users’ Mac system”, which will trigger the AiroAV’s “Suspicious File” Classification.
Anything associated with a Scareware, Adware or Malware.

  • Users have no recollection of how it ended up on their machine.
  • Lack of actual functionality or value to the user
  • An application that is confusing and/ or incoherent or has changed its functionality over time without the user’s consent.
  • Any program that interfered with the OS or browser settings that were not explicitly consented to by the user.
  • Any Software or application that has no publisher certificate or unknown source.
  • Any file, screen, document, app cloning or duplicating itself unreasonably.
  • A software bundle that doesn’t reveal in a clear manner regarding all offers in the bundle.

#2: Scareware

When AiroAV classifies something as a ‘Scareware’ it refers to software, application, program or anything that uses scare tactics to alert, trigger and urge users to download or purchase their products.

Scareware is usually associated with false or over-exaggerated claims about the health of the system or machine by impersonating system notifications and alerts.

Common Characteristics of Scareware:A purple and a white ghost representing Scareware

  • Functionality that interferes or falsely alters the general experience of the users.
  • Language or design or element that uses false, exaggerated or confusing messages without any basis or grounds to do so.
  • Falsely scaring or urging the user to take an action (which otherwise, they wouldn’t have) by using notifications, alerts, buttons, ads or popups intended to make the user click on or install something.
    Spamming or any other form of excessive messaging.
  • Tech Support Scams.
  • Suspected phishing or social engineering practices (high degree of phishing may be classified as an Adware/Malware)

#3: Adware

This category, together with Scareware, is the biggest focus of AiroAV detection technologies and research. Simply because research has shown that Mac users are mostly disturbed by this category, and most Antivirus products refrain from analyzing and detecting those.

Anything classed as ‘Adware’ by AiroAV refers to any software, application, browser extension or program whose self-purpose is to make money or generate revenue by disrupting your Mac experience and/or by hijacking your browsers default search engine.

Common Characteristics of Adware:

  • A homepage, default new tab or search engine is hijacked and replaced by another service, search engine or website that was not clearly approved by the user.
  • Excessive ads all over the screen.
  • Too many pop-ups or push notifications.
  • Intrusive tracking of user’s actions or browsing history with no or irrelevant functionality, and no clear user consent.
  • Something that triggers the installation of unrelated features, apps or third-party software without the users’ consent.

#4: Malware

AiroAV classifies as a ‘Malware‘ a program, software, application, script of file embedding the potential or intent to maliciously harm users’ Mac, browser, accounts, experience or data. Malware takes on many forms including:

  • Viruses
  • Worms
  • Trojan Horses
  • Spyware
  • Ransomware
  • Any other classification that is escalated

These malicious programs can perform a variety of functions including stealing, encrypting or deleting sensitive data, altering or hijacking core functions and monitoring users’ activity without their knowledge and /or permission. Their sole purpose is to harm the users Mac or to use it to their own benefit, or causing the potential for such ham (even if not exploited directly by them).

Malware, regardless of its form can be presented or appear as a legitimate file that is infected, unknown to the user.

Common Characteristics of Malware:A red skull representing Malware

  • Overall bad or illegal behavior.
  • Any type of unauthorized hijacking including clickjack, page hijack, DNS hijack and/or invasion.
  • Hidden (irrelevant) functionality or code injections.
  • Unexpected and unauthorized changes in functionality or appearance.
  • Stealing, encrypting or deleting sensitive data (including keylogging).
  • Altering or hijacking core functions and monitoring users’ activity without consent.
  • DNS redirection or DNS injection.
  • Functionality with the potential to take control of the user’s keyboard, mouse or other basic functionalities, without relevancy or user consent.

#5: Spyware

Spyware is a type of software, application, program, file or script with a sole function of spying on the users’ activity or stealing data or collecting sensitive data about them without their permission or knowledge.

Some spyware may even steal passwords, credit card information and online accounts credentials.

Spyware is not a legitimate file infected by a virus, it is embedded in an application which is coded with malicious intent and it cannot be disinfected.

Common Characteristics of Spyware:A eye seeing information representing Spyware

  • Keylogging or any other method that potentially (or actually) enables others to steal passwords by monitoring the users’ keystrokes.
  • Web camera or mouse hover hijacking.
  • Hidden in malicious files accessing data.
  • JavaScript injections to visited websites that track the users’ web activity and using data without permission or authorization.

#6: Crypto-Malware

A Crypto-Malware classification is a type of malware that is attached to any software, application, script or program that’s sole purpose is to mine cryptocurrency without the consent or knowledge of the user. Basically, any person and/or organization that is digging into the user’s system, CPU (Central Processing Unit) and memory for their own financial gain.

Common Characteristics of Crypto-Malware:A Pickaxe representing crypto-mining

  • A severely slow Mac.
  • Processes, apps or software suddenly freezing, shutting down or abruptly minimized to the dock.
  • An Application suddenly behaves erratically or differently.
  • The machine is unusually hot for no reason.

#7: Ransomware

Ransomware is a particularly vicious type of Malware that takes over the user’s machine and hold it to ransom. The hacker then blocks access to the Mac and demands payment via cryptocurrency or credit card (or other payment methods) to release the access to the computer or files, usually by a specific time. If the ransom is not met, then the hacker usually threatens to publish or delete sensitive information or files.

Common Characteristics of ransomware:A file with a lock on it representing Ransomware

If a user is ever unfortunate enough to be attacked by ransomware, they’ll know about it, but here are some examples of how ransomware would try to attack.

  • Different forms of Phishing could be a common method to trigger or facilitate ransomware; (including e-mails or messages sent from an unknown source louring the user to install something that they don’t fully understand or didn’t request.
  • Out of context incentives to ‘click to download’ or ‘click to install’ something without a clear explanation to what it is or what the click result would be.
  • The screen on the Mac is suddenly blocked.
  • The screen suddenly displays the blue/black screen of death.


Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo