Do Macs get viruses? Do Macs need antivirus software? The answer isn’t as simple as it may seem. In this article, we look at the dangers faced by Mac users and the pros and cons of using Mac antivirus software.
Historically, the Mac has been considered to be safe and secure for a number of reasons that we will go into below, but in recent years that has shifted considerably. In its report on the State of Malware in 2019 here, Malwarebytes said it saw a: “Significant rise in the overall prevalence of Mac threats, with an increase of over 400 percent from 2018”.
The good news is that in its State of Malware report in 2020 Malwarebytes found that the amount of malware detected on macOS actually decreased by 38 percent. But before you breathe a sign of relief, Malwarebytes stated that the worst kind of malware, namely “backdoors, data stealers, and cryptocurrency stealers/miners, increased by more than 61 percent” in 2020.
As for 2021, Malwarebytes indicated that “Overall Mac detections decreased by 38%, though Mac detections for businesses increased 31%”. Malware might be falling, at least for consumers, but other kinds of annoying programs continue to increase: “Malware accounted for just 1.5% of all Mac detections in 2020–the rest can be attributed to Potentially Unwanted Programs (PUPs) and Adware,” said Malwarebytes of 2021.
It’s not only Malwarebytes that is reporting that viruses on the Mac is something to be concerned about: Apple is too! In May 2021 Apple’s software chief Craig Federighi took the stand at the Apple vs Epic trial and said that: “Today, we have a level of malware on the Mac that we don’t find acceptable.”
Federighi made the claim mainly to back up the need for an iOS App Store to protect iPhone and iPad users from malware on those devices. But he didn’t hold much back with regards to the malware situation on the Mac.
He revealed that 130 different cases of Mac malware have affected over 300,000 Macs since May 2020 and admitted that even members of his family had got malware on their Macs.
When the judge asked about the fact that Mac users can purchase and download software from various places on the Mac, rather than being limited to the Mac App Store, Federighi said: “Yeah, it’s certainly how we’ve done it on the Mac and it’s regularly exploited on the Mac. iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today.”
Federighi went on to explain that Mac users don’t download as much software as iOS users, so if iOS was as open to third-party downloads there would be a real problem for that platform. He said: “That’s despite the fact that Mac users inherently download less software and are subject to a way less economically motivated attacker base. If you took Mac security techniques and applied them to the iOS ecosystem, with all those devices, all that value, it would get run over to a degree dramatically worse than is already happening on the Mac.”
Finally, Federighi concluded: “Today, we have a level of malware on the Mac that we don’t find acceptable and is much worse than iOS. Put that same situation in place for iOS and it would be a very bad situation for our customers.”
So should Mac users start panicking now? To some extent there is reason for concern, but there are measures put in place by Apple at the operating system level that should protect Mac users from the worst malware threats.
As we will discuss below, Macs remains pretty secure thanks to a number of built-in security features that make attacking a Mac particularly challenging. These include Gatekeeper, which blocks software that hasn’t been digitally approved by Apple from running on your Mac without your agreement, and XProtect, which is Apple’s own antivirus built in to macOS. More on those security features below.
Can Macs get viruses?
The word virus gets used a lot more than it should be – a more accurate word would be malware. A computer virus is so called because it is capable of replicating itself and spreading. A virus is only one type of malware of which there are many, and unfortunately there have been cases on the Mac.
Adware: Once this malicious software is installed on a Mac it will show advertisements and pop ups for software – most likely for Potentially Unwanted Programs like those we will discuss next. According to Malwarebytes: “macOS’ built-in security systems have not cracked down on adware and PUPs to the same degree that they have malware, leaving the door open for these borderline programs to infiltrate”.
Potentially Unwanted Programs (or PUPs): Famous examples include Advanced Mac Cleaner, Mac Adware Remover, and Mac Space Reviver. These apps tend to hound users, which is part of their downfall, as due to the bad reputations of some of these apps the number of Macs affected has fallen, according to Malwarebytes. So it seems that people are at least wising up to these dodgy programs.
Ransomware: Ransomware has been detected on Macs – although the most recent case ThiefQuest / EvilQuest – didn’t actually work very well (in fact some would suggest it was pretending to be Ransomeware, but actually it was just transferring data). Either way, it was quickly identified and stopped.
Cryptocurrency miners: Criminals have attempted to use Macs to mine bitcoin and the like as in the case of LoudMiner (aka Bird Miner).
Spyware: Our data is incredibly valuable to criminals and spyware is designed to obtain this information. One example of this would be the Pegasus spyware that was know to have infected some iPhones. This was enough of an issue for Apple to announce that they will warn users of spyware attacks like Pegasus (more on that below).
Phishing: We’ve all received phishing emails and we all know the dangers, but as criminals get more sophisticated (and maybe even learn to spell) can we be sure we won’t fall for a phishing attempt to gain our data or log in details. You may think that you will never fall for a phishing attempt, but could you be as confident about your parents?
Trojan Horse: A Trojan is a kind of malware that is hidden, or disguised in software. There are various kinds of Trojans. A Trojan could, for example, give hackers access to our computers via a ‘backdoor’ so that they can access files and steal your data. Essentially the name Trojan describes the method by which the malware gets onto your computer.
It’s clear from these cases that there is a threat from malware on the Mac, and there are likely to be more cases in the future. Even the M1 Macs were targeted shortly after they were introduced in November 2020: the Silver Sparrow malware targeted both M1 Macs and Macs that use Intel processors.
One good thing is that Adobe ended support for Adobe Flash on 31 December 2020. At least this should reduce the number of cases of Mac malware disguised as the Flash Player arriving on the Mac.
Do Macs need antivirus?
Having just demonstrated that there is a the risk posed by Mac malware you might be thinking that it’s clear that Macs need antivirus, but that’s not necessarily the case.
Apple goes to great lengths to protect you from malware by making it almost impossible for you to download it in the first place, let alone install it.
For example, Apple has anti-malware protection known as XProtect built into into macOS that inspects every app for malware. Apple also has Gatekeeper, a feature of macOS that checks that any app you attempt to open or install has come from a certified developer.
Thanks to these features, before you can install an app, your Mac will check it against a list of malware, and even if there is no reason for concern it will not make it easy for you to open an application from a developer that it hasn’t approved.
In the next section we’ll run through all of these macOS specific features that should keep you safe from Mac malware, but keep on reading to find out why they may not be enough.
How Apple protects Macs from viruses
Macs are generally safer than PCs, but with the threat to the Mac growing due to the increasing popularity of the platform (both with consumers and with those who wish to target Mac users) Apple has had to build in protections to macOS and the Mac hardware itself.
In this section we will look at the inbuilt protections in macOS and will establish whether they are enough, or if you should also install antivirus software on your Mac.
How XProtect works
The Mac’s malware scanning tool, XProtect, works invisibly and automatically in the background and requires no user configuration. Apple has a list of malicious applications that it checks against when you open downloaded applications. XProtect is regularly updated by Apple, and it updates in the background, so you should always be protected.
This is similar to having antivirus software from a third party software developer running on your Mac, with the bonus of being written into the operating system and therefore it doesn’t hamper the speed of your Mac.
If you download and try to open files contaminated with malware, you may see an explicit warning that the files will “damage your computer”, along with a reference to type of malware. In that case you should delete the file immediately.
This is great news for Mac users, but is it enough? How does XProtect compare to the antivirus solutions out there? Well, XProtect may not be as up to date as some of the solutions and it doesn’t look for as many strains of malware as the third-party solutions do. Read our round up of the Best Mac Antivirus Apps.
How Gatekeeper works
Thanks to Gatekeeper, macOS blocks downloaded software that hasn’t been digitally signed – a process in which Apple approves the developer. This leads to the familiar error message when you try to use or install unsigned software: “[this app] can’t be opened because it is from an unidentified developer.”
GateKeeper can protect you by only installing software downloaded from the Mac App Store, or you can set it to allow you to install software from the web – but from verified developers.
One change to Gatekeeper that arrived in macOS Catalina includes software being checked for malware and other issues every time it runs, rather than just the first time you install it.
You can adjust these settings via the Security & Privacy section of System Preferences:
In Security & Privacy select the General tab
Choose from the options underneath Allow Applications Downloaded From.
Choose App Store or App Store and Identified Developers.
The safest option is App Store only, but if you also want to be able to install legitimate software from the web then App Store and Identified Developers is the best plan.
There used to be a further option to disable the feature by choosing ‘Anywhere’ but this option is no longer available.
All software downloaded via the App Store is signed, but should you attempt to open an app you have downloaded from the web that isn’t signed , you’ll only see a Gatekeeper warning like the one below:
This may mean that you have almost installed malware. Of course it may be a legitimate app in which case you can bypass Gatekeeper’s protection and install it.
To do so, go to the Finder and locate the app there. Now hold down Ctrl when you click on the app to open it and then select Open. This will mark it as being trusted. For more details on how to do this read: how to open an app from an unidentified developer.
This latter point might sound like a benefit, but it basically enables you to completely bypass the protections offered by Gatekeeper – and more and more malicious apps are instructing users to do exactly this when they are installed.
Sandboxing on the Mac
Software that is approved by Apple is also Sandboxed, which means apps do only what they’re intended to do. App sandboxing isolates apps from the critical system components of your Mac, your data and your other apps, so they shouldn’t be able to access anything that could allow them to do any damage.
It doesn’t protect you from malware but it does limit what the malware can do.
The main problem here is that while apps sold on the Mac App Store have to be sandboxed, other Mac apps don’t.
However, even without sandboxing, there are features built into macOS that should still stop apps snooping on your data. Since macOS 10.15 Catalina in 2019 it has been a requirement for all Mac apps to get your permission before they can access your files.
macOS will also ask for your permission before an app is able to access the camera or microphone, or log what you type, for example.
Another change that arrived with Catalina is that macOS itself is now stored on a separate disk volume (if you look in Disk Utility you’ll see your usual Home volume and a separate Home – Data volume). This means that your important system files are all completely separate and therefore more challenging to access. This should mean that no apps can get to your system files where they could cause problems.
Apple regularly issues security updates to the Mac. While these can serve to demonstrate that the Mac isn’t infallible, with Apple all too frequently having security flaws pointed out to it, they are generally issued promptly. However, it is currently the case that these security updates are issued as part of a macOS update – for example, macOS Monterey 12.2.1 closed a security vulnerability in WebKit that would have made it possible to execute malicious code on the Mac. Because these security updates are issued as part of a larger update to macOS, that often requires the computer to reboot during the install process, some Mac users may be less likely to install the update promptly, even though these updates can be set to install automatically.
In Ventura Apple will be separating out the security update from macOS updates and rolling these updates out automatically, this way the update can happen in the background, without a restart, and users won’t be affected.
Password protection – and Passkeys
Apple improved the way users can manage passwords in macOS Monterey and also made some changes to two-factor authentication. You can find all your Passwords in System Preferences > Passwords. You just need to unlock it with your password to see every password you have (you can also view this information on your iPhone in Settings > Passwords).
In Monterey there is also a new authenticator so you can set up verification codes instead of via an authentication app. To add a set up key you need to click on a password and then choose Enter Setup Key (which you should be able to obtain from the provider and once input the 2FA verification codes should automatically fill).
When macOS Ventura arrives in the fall Apple will be moving away for passwords to passkeys. Apple explains: “Passkeys use iCloud Keychain public key credentials, eliminating the need for passwords. Instead, they rely on biometric identification such as Touch ID and Face ID in iOS, or a specific confirmation in macOS for generating and authenticating accounts.” Passkeys are more secure, according to Apple. Essentially your device will hold one part of a cryptographic key pair and the other part of the pair will be stored by the website or service you are logging in to. Your device will authenticates you biometrically (with Touch ID or Face ID) and log you on. We don’t know if Passkeys will be ready for prime time when Ventura launches, but expect big changes with the next version of macOS.
In macOS Monterey Apple added a Recording indicator in the menu bar so you will know if an app is recording you – a little like the light that indicates the mic is in use on your iPhone.
Similarly, in macOS Ventura, any app that wants access to your pasteboard will have to request permission.
There is anti-phishing technology in Safari that will detect fraudulent websites. It will disable the page and display an alert warning you if you visit a suspect website.
Anti-phishing isn’t the only way that Safari protects you when you are surfing. Apple also allows users to stop advertisers tracking them around the web. You can see a Privacy Report including details of all the cross-site trackers Apple has stopped from profiling you.
You’ll also notice that plug-ins such as Silverlight, QuickTime and Oracle Java won’t run if they aren’t updated to the latest version – another way of ensuring your Mac is safe. And of course now that Adobe has discontinued Flash people should hopefully no longer fall for malware hidden in the Flash Player.
Safari will also flag up insufficient passwords and make strong password suggestions when you open an account on a website. This strong password will be saved in your iCloud Keychain so that you won’t have to remember it. It’s a lot safer than using the same password you always use. You’ll also be seeing warnings if you try to use a weak password and a prompt to change it to something safer. Also read about How Apple plans to retire passwords.
One issue with Apple’s suggested passwords is that sometimes they don’t match the website’s requirement, for example, a website may request one upper case, one special character, one number for a password. When Ventura launches this fall it will allow users to edit suggested passwords so that they can meet these requirements. This will be the case initially – as we explained above, passwords will eventually be replaced by passkeys at some point in the Ventura development.
New in Safari 15 (which arrived in 2021) were improvements to the Intelligent Tracing Prevention that arrived in Safari 14. Now web trackers won’t be able to see your IP address so they won’t be able to create a profile about you. Check this by choosing Safari from the Safari menu > Preferences > Privacy > Hide IP address from trackers.
A few years ago there was a lot of bad publicity for Apple when celebrities reported that their iCloud photos had been stolen. Read: How to stop photo hacks on iPhone. There have been a number of security enhancements in iCloud since this happened, plus Apple has handed users other ways to protect their photo privacy, for example the ability to hide photos and albums. In Ventura Apple is expanding this so that hidden albums – and the Recently Deleted album – will be locked by default, and only authenticated by Touch ID or Face ID.
macOS Monterey brought a new feature in Mail on the Mac. Mail Privacy Protection will improve privacy for users. For example, it will stop the senders of emails from being able to track whether you have opened an email, or even determine your location from your IP address. Check that the feature is working for you by opening Mail > Click on Mail in the menu > choose Preferences > Privacy > and make sure Protect Mail Activity is selected (it should be by default).
There are additional Mail protections if you are an iCloud subscriber. Hide My Email allows you to create an alternative email address that you can give out. The email will still be delivered to your inbox, but you can easily delete the alternative email later.
You can turn this on in System Preferences > click on Apple ID > and select Private Relay (currently in Beta).
In Ventura Hide My Email will be extended to third-party apps.
If you are an iCloud subscriber a new feature in Monterey (part of the upgrade from iCloud to iCloud+) is Private Relay. It is a little bit like a VPN in that it encrypts your network traffic and routes your DNS lookup requests through two servers, one of which is not controlled by Apple. However, it’s not a VPN because it only works in Safari and obviously it lacks the usual features of a VPN (if you want a VPN check out our round up of the best VPNs for Mac, you may even be able to save some money if you take a look at our round up of VPN deals, or try one of these free VPNs.)
You can manage your Private Relay settings in System Preferences > Apple ID > click on Options beside Hide my email. Here you will see any fake email addresses you are using – just click on Turn Off if you want to stop those emails arriving. YOu can also change which email address they are forwarded to.
A new feature coming in Ventura (and other OS updates in Fall 2022) is Safety Check, a feature that will allow anyone who is concerned that they are in danger from a person known to them to revoke any access they have granted to that person. So, for example, that person won’t be able to see their location, access their photos or anything else that could help them trace them.
File encryption with FileVault
In addition to Gatekeeper, which should keep malware off your Mac, FileVault 2 makes sure your data is safe and secure by encrypting it.
If you are concerned about someone being able to access the files on your Mac you can encrypt them using FileVault, which will mean only you can unencrypt them. Read our tips for keeping your mac secure, of which using FileVault is one.
Apple announced in November 2021 that it will warn its users of state-sponsored espionage attacks, such as the well publicised Pegasus spyware, on their iPhones, iPads and Macs.
The notification will come via email or messages. The same warning will be displayed on the user’s Apple ID page at appleid.apple.com.
The warning will offer advice about how the affected users can protect themselves against attack. More information on Apple’s site.
Not every threat to your data comes from malware – sometimes a criminal might get hold of your Mac, in which case Apple’s Find My service will come into its own.
The Find My app can relay location of your lost or stolen Mac back to you. If you are concerned that it might not be recoverable you can wipe the contents of the Mac so that your data can’t be accessed.
In addition, all M1-series, M2 Macs, and Macs with the T2 chip have an Activation Lock feature that means they can be able to brick the Mac remotely.
When Apple’s security measures aren’t enough…
All the above is great, but unfortunately there have been cases where Gatekeeper has been bypassed because malware has got an approved developer signature. For example OSX/CrescentCore was able to bypass Gatekeeper because it was signed by a certificate assigned by Apple to a developer. It took Apple a few days to retract that certificate.
It isn’t only when malware get’s a certificate from a registered developer. In the case of OSX/Linker, a zero-day vulnerability in Gatekeeper was being exploited.
Zero-day threats mean there are “zero days” to fix the vulnerabilities, although often a legitimate developer discovers the vulnerability and lets the developer know about it. There is usually a 90-day deadline for the fix to be made available. Some times the developer doesn’t act in time and the exploit is publicised.
Apple normally reacts quickly, although there have been cases where the company has ignored the identified vulnerability, such as when a teenager reported the Group FaceTime vulnerability that meant someone could listen in to a call and Apple failed to act. There’s more about how Apple reacts to security threats next.
When Apple is made aware of a threat the company usually issues a security update to the latest version of macOS and to the two versions prior to it. This way Apple will protect users from vulnerabilities and flaws in macOS that could be utilised by hackers.
Normally the advice would be to install the update immediately. However, for example a Sierra and High Sierra security update in July 2019 was subsequently pulled after people experiences problems after installing it.
How Apple responds to security threats
Despite the security measures Apple has in place, from time-to-time there are threats to the Mac.
Apple has its own security research team, but it depends on users and independent researchers to help by reporting any flaws they find in Apple products.
To this end, Apple has an incentive program that rewards such discoveries with payments of up to $200,000, depending on the seriousness of the flaw. But it was the last major tech company to set up such a scheme. (Microsoft set up its own bug-reporting incentive programme in 2013, and was itself criticised at the time for leaving it so late.)
On 4 August 2016, Apple security boss Ivan Krstic announced the Apple Security Bounty Program. “We’ve had great help from researchers in improving iOS security all along,” Krstic said. “[But] we’ve heard pretty consistently… that it’s getting increasingly difficult to find some of those most critical types of security vulnerabilities. So the Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple.”
The top reward is $200,000, given to those who discover vulnerabilities in Apple’s secure boot firmware components; for less critical flaws the bounties drop through a series of smaller figures to a bottom tier of $25,000. Wired has the details.
We imagine most Mac users will be pleased to hear that Apple has an incentive programme to encourage more widespread reporting of its vulnerabilities. Incentivising security researchers to let Apple know about a flaw instead of passing it on to hackers (which may still, sadly, be more lucrative) makes Apple products safer for everyone.
One such flaw was the High Sierra root bug, discovered on 28 November 2017. This flaw in macOS 10.13 could allow access to settings on a Mac without the need for a password. Apple immediately issued a statement confirming that it was working on a fix and an update was anticipated to be issued within days.
How to keep your Mac safe from malware
Apple does a lot to keep your Mac safe, but you have to work with it, installing updates when they arrive, not clicking on suspicious links in emails, not installing Flash, and so on. There are also some third party antivirus apps you could try – we have a complete guide to the best antivirus for Mac here.
Here are a few of the things you should do:
1) Keep macOS up-to-date
Despite what we said above about the security update Apple later retracted, normally the advice would be to install a security update as soon as possible.
Apple addresses flaws and vulnerabilities with the Mac by issuing updates to the Mac operating system, it is important to keep your Mac up to date. We advise checking regularly for OS updates remains a key part of a sound security strategy.
You can set your Mac to automatically update as soon as a new version of the operating system is made available. Follow these instructions to set that up:
How to automatically install macOS updates
Open System Preferences.
Click on Software Update.
Tick the box beside Automatically keep my Mac up to date.
Or, click on Advanced and choose from automatically: Check for updates, download new updates when available, Install macOS updates and Install app updates from the App Store.
How to automatically install High Sierra or older software updates
Open System Preferences.
Click on App Store.
Tick the box beside Automatically check for updates.
You can choose to download the newly available updates, if you want them to install automatically though you need to make sure the box beside Install macOS updates is checked.
How to manually install macOS software updates
If you’d rather not let your Mac automatically update, you should periodically check to see if there is an update to your version.
In macOS High Sierra and earlier you can go to the Mac App Store and check for updates.
In macOS Mojave and newer you need to go to the Software Update pane in System Preferences.
You may need to restart your computer once the update has downloaded. You can expect a typical 460MB download to take about 8 minutes (during which time you will still be able to work) but for a large update you will have to restart and install and that could take as much as 20 minutes, bringing the total install time to about 25 minutes in total.
Beware of connecting to a public Wi-Fi network as there may be someone spying who could gain access to your passwords and other private information, or you could have your session hijacked. Snoopers can set up their own Wi-Fi hotspot, pretending to be your hotel or coffee shop, then once you have connected they can grab any data you send over it. In the past there have been flaws detected in the OS that could allow access to your Mac, such as the SSL error in an earlier version of Mac OS X that meant it was possible for a hacker to access your machine if you were using public WiFi.
3) Don’t install Flash
Adobe discontinued Flash on 31 December 2020 with good reason. Intego, Malwarebytes and others recommended that you shouldn’t install Flash Player. Fake Flash Player updates have often been the means by which people install malware. For example, people want to watch or download a popular movie or TV series for free and they find a search result that leads to a request to update Flash Player in order to view the content. There is no need to install Flash Player now that HTML5 has made Flash obsolete. Now that Flash is no longer be supported the advice is simple: Don’t use Flash!
4) Keep Java up to date on your Mac
If you must use Java (which is also problematic) then make sure it’s up-to-date. Vulnerabilities with Java have highlighted the fact that there are cross-platform threats that even Mac users need to be aware of. Apple blocks Java by default, leaving it to the user to decide whether to install those tools. If you do need to update them be very careful where you download updates from!
5) Avoid falling foul of phishing emails
Protect yourself from phishing attacks not responding to emails that require you to enter a password or install anything. You could also use free software such as BlockBlock or XFence (formerly Little Flocker) installed. That way even you were to carry out the steps to launch the malware, it would not be able to write files or mark itself as launching on startup.
6) Don’t fall for Facebook scams
Facebook scams are usually designed to harvest data about the most gullible people, so if it seems like it might be too good to be true it probably is and you’d be wise not to share it on Facebook. At best you might just look silly and those scammers will start to target you with more scams, at worse scammers can access your personal data and that of those you share their post with. So don’t click on a link just because a friend shared it and definitely don’t give out your personal data on Facebook.
Is antivirus software necessary for a Mac?
As we’ve explained above, it’s certainly not an essential requirement to install antivirus software on your Mac. Apple does a pretty good job of keeping on top of vulnerabilities and exploits and the updates to the macOS that will protect your Mac will be pushed out over auto-update very quickly.
However, sometimes Apple doesn’t respond as quickly as Mac users might hope. In that case, there are some free and paid for antivirus apps that might give you some peace of mind.
Beware that due to the fact that people are so concerned about malware threats on the Mac there have been cases of malware actually disguising itself as an antivirus app, most recently Mac Auto Fixer pop-ups have appeared suggesting that software needs to be installed (at a high price). This is similar to another fake antivirus app called MacDefender which has been doing the rounds for some time.
Another Mac antivirus company that is often thought of as unscrupulous is MacKeeper. In the past various reports have suggested it is a scam or at worst malware. In recent times MacKeeper has attempted to transform itself and leave its disreputability behind. It has, for example, gained Apple Notarization – which means the software is checked by Apple for malicious components. The company has also been working to get certifications from various bodies to prove it isn’t a PUP, including an AV-Test certificate. If you have any problems with MacKeeper we do explain how to remove it here: How to uninstall MacKeeper.
How to tell if a Mac has a virus
Look out for the following signs that your Mac has been infected with malware:
Aggressive web page banners and browser pop-ups recommending software.
Web page text turning into hyperlinks.
Programs appearing that you haven’t authorized.
Mac runs hot.
Mac speeds up for no reason.
If you think something suspicious is happening, open Activity Monitor and click on the CPU tab. Check what software is running – especially if something is hogging a lot of your resources.