The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm


Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016


Using the Site as File Storage

The article title of my source is “The Website Lets You Upload Malware Using Its Own Public API Key.” This sounds far-fetched, but it really isn’t. Basically what happened is that the FCC has an API for uploading files to its domain that one does not have to accept a TOS or EULA in order to use – you can simply request an API key.

Along with the API Key, there is also public FCC API documentation that one can use if you’re not quite technically savvy enough to figure it out without an API (that is to say, you’re not getting lucky – trying to do this without documentation is probably shooting blind). The author says that “…so far they have managed [to upload] pdf/gif/ELF/exe/mp4 files up to 25MB in size.”

So what all this boils down to is that the FCC has a publically accessible API for uploading documents to its website that you do not have to agree to a TOS for (meaning that you can’t violate any TOS by using it), and it can act as file storage for most file types up to 25MB, even allowing MP4 video playback within the site. This is interesting – people could have split up files into smaller zipped chunks, which wouldn’t give you anything comprehensible if you just opened one of the .zips, and then distributed the for all parts to other people (NOTE: I do not know if .zip is an acceptable upload file, but even if it isn’t, you can do the same thing with a pdf, it’s just a little more complex).

This file storage could be simple jokes (like the contact the author of the OP had), or people could have been storing illegal files on a government website (which, using the technique I described earlier, would not look like much unless all files were found). The big concern that the author has is people using this as a redirect or to host malware. Phishing would be much easier on someone technically savvy if the .exe a “government official email” says they need to download and run is hosted on the website.

Note: It’s possible that in the time of me writing this post and it being read in class that all files were taken down now that the vulnerability is known.

By: Connor Shade


Apple Zero-days Mark a New Era of Mobile Hacking


Apple’s head of security engineering and architecture, Ivan Krstic, announced that apple is ready to open up its vulnerability reporting process to researchers. They are launching a bug bounty program that offers rewards for zero-day vulnerabilities that allow vicious code exploits.

This idea came about after an incident involving an activist in the United Arab Emirates, Ahmed Mansoor, where three zero-days were discovered with the ability to spy on his messaging and calls. This incident caused Apple to realize that hackers had shifted their focus from desktops/laptops to mobile phones.

The iOS exploit used to target Mansoor was a three pronged approach that started as a very believable phishing attack that when clicked downloaded two kernel exploits to the device. Now that the malware has been exposed, Citizen’s Labs has discovered that the exploit was the work of an Israel based surveillance software developer group, NSO. Lookout estimates that the exploit has been available for purchase for approximately two years.

Now that the NSO group has been made public and the zero-days have been patched there are now ways to scan if your devices have been compromised and Apple is pushing harder than ever before to find its vulnerabilities.

-Hannah Gallucci

Apple zero-days mark a new era of mobile hacking

200,000 Comcast Customers Hacked




Comcast recently announced that 200,000 customers will have to change their passwords. They found out that 590,000 Comcast accounts are being sold online for $1000, but they say that only 200,000 accounts are active. Comcast denies they were hacked and said that their users probably downloaded viruses or they were phished and there accounts were obtained that way.

“We’re taking this seriously and we’re working to get this fixed for those customers who may have been impacted, but the vast majority of information out there was invalid,” a company spokesperson said, according to the Washington Post.

The chief technology officer for Intel Security says that data breaches have been so common lately that it’s not surprising to so much customer information for sale. They regularly monitor the dark web and see information like this for sale all the time.

Sam Chelini


XcodeGhost Malware

Recently thousands of apps on the apple app store were found with malware. They were infected by a program called XcodeGhost. XcodeGhost is ios malware which is hidden in a modified version of Xcode which is an ide for ios and os x apps. The malware could be controlled from command and control servers and it could steal apple id’s and passwords and control the infected apps.


The infected apps are mostly Chinese apps because developers in China can’t download the official version of Xcode from Apple because of internet restrictions. XcodeGhost is hosted in china and developers are more likely to download it because it is much faster than downloading the official Xcode from apple servers hosted in the US.
“Since the initial reports, possibly thousands more iOS apps have been identified as infected; iOS hackers Pangu Team said it found more than 3,400, while Appthority found 476 apps and Qihoo 360 listed another 350.” One of China’s most poplar search engines called Baidu was infected and might have infected a ton of people.
Sam Chelini