Mac Malware in 2024, and Should We Trust Cyber Trust? – Intego Mac Podcast 378

Posted on January 9th, 2025 by Kirk McElhearn

The US Federal Communications Commission has introduced a Cyber Trust Mark intended to educate consumers on the security of smart devices. We discuss how it’s supposed to work. And we take a look back at the top malware stories from 2024.

White House Launches “U.S. Cyber Trust Mark”, Providing American Consumers an Easy Label to See if Connected Devices are Cybersecure
U.S. Cyber Trust Mark
Apple will pay $95 million to people who were spied on by Siri
Cryptocurrency wallet drainers stole $494 million in 2024

If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.

Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.

Transcript of Intego Mac Podcast 378

Voice Over 0:00
This is the Intego Mac podcast—the voice of Mac security—for Thursday, January 9, 2024. This week’s Intego Mac podcast security headlines include: the US Federal Trade Commission has introduced a Cyber Trust Mark intended to educate consumers on the security of smart devices. We discuss how it’s supposed to work. And we take a look back at the top malware stories from 2024. Now here are the hosts of the Intego Mac podcast. Veteran Mac journalist Kirk McElhearn and Intego’s chief security analyst, Josh Long.

Kirk McElhearn 0:40
Good morning. Josh, how are you today?

Josh Long 0:44
I’m doing well. How are you, Kirk.

US FTC introduces Cyber Trust Mark

Kirk McElhearn 0:48
I’m doing fine. Josh, we’ve got some interesting news this week, and we want to start out with something that we discussed. I want to say six months ago about how the US had planned something called the Cyber Trust Mark. Now one of Josh’s idée fixes is is that he goes on about how routers don’t get security updates and that they’re unsafe to buy. And don’t buy a router on Black Friday because you don’t know when it’s going to get a security update. And we’ve talked about this problem of companies don’t say how long they’re going to give updates, and you never know when it’s going to get update. In fact, you almost bought a new router recently because it hadn’t gotten update, and then what do you know? It got an update for the first one in a year. So what the US, Federal Trade Commission has done has come out with the Cyber Trust Mark, which is something that is going to be, I don’t know, a label that verifies that a connected device is cyber secure, but it’s more than that. It’s going to have a QR code that you can scan and get information about the device. Apparently, there are 11 companies that are going to be testing devices to ensure that these are all for Internet of Things, smart home devices, etc, to ensure that they are safe and secure and they don’t have vulnerabilities. And there are problems with this because there are so many devices and how often they’re going to check them. I don’t know if I can trust Cyber Trust.

Josh Long 2:03
Well, that is a good question. I like the idea behind this. Similar ideas have come up multiple times, and the US has been working on this for years now, this whole idea of a label that you can put on a product where you can not just trust whatever is on it, but that you can actually scan it to get current information about the security of that product. I think in general, that kind of sounds like a pretty good idea. I have had a couple of reservations about this concept. One is that, well, first of all, you’re scanning a QR code, which is a bit problematic from the perspective that anybody can come along and just stick a sticker. I mean, if you’re, if you’re talking about a retail establishment where you’re going to, like, you know, a store, like Best Buy, or Costco or something, and they’ve got some great deal on some hardware, and so you want to check it out. And in those kind of environments where you’re, you’ve got a physical product in front of you, and you’re actually scanning a QR code on a physical product. It’s possible for somebody to stick a sticker over the top of that and redirect you to somewhere else.

Kirk McElhearn 3:11
It’s not just in the store that that could happen. Someone in the distribution chain could do this as well. Someone who’s imported devices may want to put a different sticker on a device than what the original manufacturers put on it.

Josh Long 3:23
Well, I guess that’s true. That’s a good point. Yeah, it can happen in different places in the process.

Kirk McElhearn 3:29
These are the kind of things that when we discussed this a year or so ago, we thought should be available from this sort of scanning. So it’s going to tell you how to change the default password, which is really important for routers, because they all have a default password, and you can search for your router on the internet and find what the default password is. It’s going to tell you how to configure the device securely. It’s going to tell you whether updates and patches are automatic, and if not, how you can access them. And it’s going to tell you the products a minimum support Period, end date, or a statement that the device is not supported by the manufacturer, and the customer should not rely on the manufacturer to release security updates. That’s a little bit vague. I do want to point out that the FCC says that this is a QR code that you can scan with your wireless phone. So if you have a wired phone, you can’t scan the QR code.

Josh Long 4:15
Okay. Well, that’s good to know. I guess one of the things that is a little bit concerning to me here, first of all, how to change the default password, which automatically assumes that there will be a default password, which is not best practice in the first place. Now, you could interpret that to mean that maybe they’re having a different default password for every device, and how to change that password. So okay, and that’s acceptable.

Kirk McElhearn 4:41
Every time I’ve gotten a router from an ISP in this country, it has a default password on the box that is a random bunch of characters, so it’s printed for each individual device. It has a label on the router on the box, right? So it’s a default password.

Josh Long 4:55
Right. But here’s the thing that concerns me a little bit more than that. This is a direct quote from the US Cyber Trust Mark site. This is one of the bullet points the product’s minimum support Period, end date, or a statement that the device is not supported by the manufacturer and the consumer should not rely on the manufacturer to release security updates. So if at some point they stop supporting that product and you scan that QR code, then you’ll know, know that they’re no longer supporting that product. Theoretically, this is assuming, of course, that the manufacturer has notified the people who operate the Cyber Trust Mark that they are no longer supporting that product. There’s a lot of assumptions there. And the other problem with this too is, what if, let’s say I’m comparing two different products, right? Let’s say I’ve got Pro two products that I’m considering buying, and the one difference between them is that one of them says the minimum support Period, end date, and the other one just says it’s currently supported. Now, if I don’t know any better, I might assume that the latter is better, because, well, that might just mean that they’re going to continue supporting it for, you know, years and years to come. But it might be that the company that actually bothered to put an end date on the product is going to support it longer. I don’t actually know that as a consumer.

Kirk McElhearn 6:19
But see that actually gets quite complicated, because I’m just looking at Amazon’s website. On the web page for the newest Kindle, this device receives guaranteed software security updates until at least four years after the device is last available for purchase as a new unit on our websites. Now there’s no way that they can tell the FCC or whoever manages this database when that last available date is until that last available date is in the past.

Josh Long 6:48
Well, okay, now that’s a fair point. I think that what Amazon could do for something like this is every month they update the entry for that particular product on the Cyber Trust Mark website, so that it extends it another month, because there’s they’re now selling that product for an additional month.

Kirk McElhearn 7:05
So here’s the problem. We don’t know about how this is going to be updated, so let’s assume a device has to be tested when it’s first sold. Okay. What about when there’s an update? Does it have to be tested again to make sure that it’s still secure? If something has changed on the device, such as settings have changed, is it going to be updated to tell you how to configure it securely and change the default password? So all of this implies that potentially millions of devices need to be constantly updated in a database and checked every single time. We’re probably going to talk later about Apple’s lax approval of apps on the App Store. Imagine how this is going to happen with with this database, which we don’t know who really manages it, if there’s no follow up, and every time a device is updated, there’s a new update in the database.

Josh Long 7:55
Well, I guess, to summarize all of this, it’s complicated, right? Like, I think it’s a good idea that there is a Cyber Trust Mark. I think the whole concept of it is pretty good, but it still may not give you a precise, clear picture of one product being better than another. If now, now, I would say that in, let’s say, a year from now, they’re starting to roll this out. Over the course of this coming year, companies will be able to apply to get a Cyber Trust Mark for their products. Let’s say, a year from now, a lot of manufacturers are starting to use this. If I still can’t get a clear picture about which product is better than another based on scanning the Cyber Trust Mark, then I don’t know that this really did a whole lot for us, other than just give us something else to check whenever we’re evaluating new products.

Kirk McElhearn 8:48
Okay, so Amazon has already said that they’re going to put this information on their website, and let’s assume you’re looking at two similar devices on Amazon, and one has the trust mark and one doesn’t. That might weigh your decision in the direction of the one that has a trust mark, even if you don’t know what it means, or if you don’t know what kind of information is behind it, right?

Josh Long 9:09
And I think that’s actually part of the idea, because you don’t want to buy some, you know, junk Internet of Things from, you know, some country overseas that maybe does not have best practices in mind, and they’re, they’re just trying to crank out a bunch of products just to make some profit, right?

Kirk McElhearn 9:27
Are you thinking of any specific country overseas?

Josh Long 9:31
I’m not gonna. I won’t name any particular countries, but I’m just saying there might be some countries out there that just produce a lot of Internet of Things, kind of garbage. So, you know, I’m just saying, I’m just saying, you know, having the Cyber Trust Mark is probably better than not having a Cyber Trust Mark. So in the future, if those are the products you’re comparing, one that doesn’t have it at all, then I would say, probably go with the one that does have it, right.

Kirk McElhearn 9:56
And that’s the whole point of this, because the bigger companies are going to know that there will be. People who take this into account when they’re deciding what to buy and they will apply for this for their devices, whether or not it makes a real difference in terms of how often the router is updated, we don’t know. But if the company thinks that having this is like a bonus, it’s like having a gold star, that it’s like having a better it’s like having higher reviews on Amazon, for example. And if companies see this as valuable, then they may lean into it. Now what I could see happening is that if companies do use this but use it incorrectly, then hopefully the tech press will pay attention and call these companies out. So this could be something that, as it gains critical mass will. I don’t want to be self policing, but in the sense that we do have a tech press that does look at this sort of things like, you know, anywhere from us to the big tech websites, it’s something that they might start highlighting when they review new products. Okay, so there’s a story that’s been making a lot of news, and I’ve been hearing from a lot of people that are curious about this story, Apple has agreed to pay $95 million to people who were spied on by Siri. First of all, I want to modify that figure. Apple has paid to pay $95 million to people, many of whom include lawyers, who are probably getting 30 or 40% of that the people who were supposedly spied on by series are going to get 20 bucks each. So it’s not like there’s a lot of money going around. But here’s the thing, Apple did not admit anything. Apple basically decided to agree to this $95 million settlement. As an Apple spokesperson said to The Verge, we’ll have a link in the show notes. Apple settled this case to avoid additional litigation so we can move forward from concerns about third party grading that we already addressed in 2019 we use Siri data to improve Siri, and we are constantly developing technologies to make Siri even more private. I want to even go further and speculate that Apple wants to get this under the rug before the new improved Apple intelligence Siri comes out in a few months.

Josh Long 11:56
Yeah, and I think that is an important part of the story. First of all, a bunch of headlines have been very misinformational, implying we’re just outright stating Apple was guilty and had given information to marketers or whatever. And that’s not actually the case. Here’s the other part of the statement that an Apple spokesperson gave to the verge Siri has been engineered to protect user privacy from the beginning. Siri data has never been used to build marketing profiles, and it has never been sold to anyone for any purpose. Meaning, Siri data has never been sold to anyone for any purpose. There might be some weasel words in there, because we know this, Apple spokesperson very likely got this exact wording of the statement from their legal department, right? And so the weasel word might be, has never sold to anyone for any purpose. So you could maybe interpret that to say that, Oh, well, that could mean that Apple has given data or traded data with other organizations. I think even that probably is stretching it. But in any case, I would say overall, this is kind of a non story. This is not something that people really need to worry about. Siri is not constantly listening to you and spying on you. However, if you’re really concerned about this, you can turn Siri off, or at the very least, I recommend turning off the Siri wake word first of all, and the other thing you can do is you can turn off all the analytics settings. If you search in the Settings app for analytics, all of those toggles, including ones related to Siri, can be completely turned off.

Kirk McElhearn 13:34
Okay, we’re going to have a link in the show notes to an article on the Intego Mac security blog. I just want to one more. This settlement only applies to a subset of US based people. I’m not sure what that means. Who owned or bought a Siri enabled iPhone, iPad, Apple Watch, MacBook, iMac HomePod, iPod Touch or Apple TV between September 2014 December 2024 a user would also to meet one other major criteria, they must swear under oath that they accidentally activated Siri during a conversation intended to be confidential or private,

Josh Long 14:02
Wow. (Yeah) Okay.

Kirk McElhearn 14:05
Okay, we’re gonna take a break. When we come back, we’re gonna talk about the year in malware. 2024 there was a lot of malware that affected the Mac.

Voice Over 14:14
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

What was the most prominent malware of 2024?

Kirk McElhearn 15:25
We’ve got one category of malware that has been extremely active in 2024 but there’s a new category that I had never heard of. It is a “drainer”, drainer malware, cryptocurrency, while a drainers stole, apparently, nearly a half a billion dollars in 2024.

Josh Long 15:42
Yeah. Well, it’s kind of the same thing, really. It’s just a different name for it, but because we talk about stealer malware all the time, that’s the word that we usually use on the podcast. But yes, wallet drainer is is the same thing. It’s just it’s stealing information that you might have, such as cryptocurrency or maybe NFTs or whatever. It’s nerdy stuff for the most part, that probably a lot of our listeners are not into. But you know just it’s good to know that this type of stuff is out there, and then it does steal more than just stuff from your cryptocurrency Wallet. So a lot of times stealer malware, and this is the other reason why we usually call it Stealer malware, is because it will steal other things like your it will attempt to extract your passwords, database and things like that, and send that off to the malicious party. As far as the particular part of cryptocurrency being stolen, this organization called scam sniffer claims that close to 500 million, so nearly half a billion dollars was stolen in 2024 based on their data and estimates. And that gives you some idea of how prevalent Stealer malware really is, and it has gotten really big over the past year, especially on the Mac.

Kirk McElhearn 16:57
Surprisingly, another noteworthy trend, according to the article in bleeping computer that we link to in the show notes is the increased use of Google ads and Twitter ads as a source of traffic to phishing websites. And you’re constantly talking about Google ads. I’ve got an ad blocker. I don’t see them, but I can understand that people who don’t use ad blockers see these Google ads. They think they’re legitimate, but they’re not right.

Josh Long 17:16
And as we often remind people, usually the first result when you’re just doing a Google search, very often, the first result is going to be an ad, and it may not be super clear if you’re not looking for it, the ads are not necessarily bought by the company that appears to have purchased that ad. That’s really where a lot of these malware and scam websites, how they really propagate is because they’re buying up ads that look identical, pretty much to the actual legitimate ads from these companies, just so they can get enough people to click on them and download malware, or, you know, or Phish them, or whatever it might be.

Kirk McElhearn 17:58
Okay. So malware in 2024 Stealer malware was the one category that we saw throughout the year, and in fact, one of them was called atomic steel, or which spread via malicious Google ads, which you just explained. But there were all sorts of steel where malware, which seems to be the, I want to say, this is like the minimum, obligatory type of malware these days. You know, I remember the days of Flash Player updates and phishing and I mean, there’s plenty of phishing problems, and we’ll talk about those as well with phishing scams that come by email from legitimate services, but steel, where malware is all over the place. And why is this happening all of a sudden? A few years ago, we rarely saw this.

Josh Long 18:38
Well, I think there’s a few different things. One of them is, first of all, these typically come via a Trojan horse, so in other words, an app that masquerades as another app. And so these are very simple in terms of how they’re constructed. So they just look like any other app. So you download them thinking that you’re getting some legitimate software, you double click on it, just like you normally would, and then your computer ends up infected with with malware. Trojan horses have been around for for forever. I mean, practically since the beginning of malware in the first place. This is just sort of a twist on that, where one of the things that the malware is actually doing in the background is it’s stealing data, and not necessarily just data, either. So I think part of the reason why this has become more prevalent is because they know that people are increasingly using cryptocurrency, and so people are more likely these days than they have been in the past to have cryptocurrency on their computers.

Kirk McElhearn 19:43
I thought that the sandboxing in Mac OS was supposed to prevent this sort of thing. I thought that apps couldn’t do this kind of stuff that Apple told us that, you know, these devices were so secure and they have all these alerts. You know, can this app do this? Can this app do. That and you have to approve everything. How come these get through the sandboxing and are able to steal so much stuff?

Josh Long 20:06
Well, one reason is because very often, during the installation or setup process for an app, they may prompt you for your administrator password. So most people, when they’re installing software. They’re probably used to this happening often enough where they have to just type in their password to continue. People don’t really think twice about it. They just go, oh, okay, it’s asking for my password. I’ll type in my password. What they don’t realize is that sometimes, when you’re typing your password, if you’ve got malware on your machine and it’s asking you for your password you don’t know that you have malware. It may actually be using that as a way to grab your administrator password so that it can authorize itself to do the other things that it wants to do, like stealing data from other parts of the system that the sandboxing should theoretically prevent. The other thing that apps can do is they can request full disk access, if that’s something that the user grants to the app, if they think that there’s a legitimate reason why it might need that, then they can grant that permission, which will then, from then on, give that app access to everything on the disk, not just the sandboxed areas.

Kirk McElhearn 21:19
If you want to check this, you can go into System Settings on your Mac, privacy and security, and then full disk access, and you’ll see a number of apps that have requested full disk access and that you’ve authorized. Now I’m looking at mine. There are some that I’ve authorized and some that aren’t authorized. I’m actually kind of surprised that certain ones are not authorized, but if you see an app that’s unfamiliar there, then you should definitely turn it off and actually look for the app and delete it, potentially if you see an app that you don’t expect to see there, of course, I see in mind smbd, which is Apple’s executable, which is part of the operating system that handles the SMB file sharing protocol. So why should that be listed in full access when it’s not even something that I have an option to turn on or off. I assume that that gets enabled when I turn on file sharing. But I shouldn’t see that, right?

Josh Long 22:08
Well, that is the problem with going in and manually disabling things from this list. So unfortunately, Apple has put some things in here that are like background system processes that you know, the average person looking at this list is not going to be able to easily identify. Oh, okay, I know what that is like. That’s that makes sense for that to have access to the full disk. So be careful about going through this list, but at the very least, you might be able to get an idea of apps that you have installed, like where it’ll give you the icon of the app and the name of the app. And for those kind of apps, if you have no idea, if you don’t think there’s any legitimate reason why it needs full access to the disk and it’s currently enabled, you can turn it off.

Kirk McElhearn 22:54
And if you’re curious, right click on an app and choose Show and finder, and you’ll see where it is. We did have some other malware, one that I found interesting was Intego discovered a fake web browser. There is the arc web browser. It had a unique AppleScript malware component. AppleScript is a pretty basic scripting language. It’s not often used for malware, right?

Josh Long 23:14
Occasionally we do see AppleScript being used as the method to sort of get the user to give over their password. So sometimes an AppleScript dialog box is actually what the bad guys are using behind the scenes. You may not realize it’s AppleScript because it’s just a dialog box, but sometimes they do use AppleScript for that specific purpose, and that’s what we saw with this arc browser. Now interestingly, this was also yet another atomic Stealer variant. So once again, it was Stealer malware that was masquerading as a legitimate web browser.

Kirk McElhearn 23:50
All right. So the last ones I really love, these names BeaverTail and InvisibleFerret. I mean, this is malware that was targeting job seeking Mac users, so people who were looking for jobs on LinkedIn. Is that it?

Josh Long 24:01
Right. So this, this malware, was attributed to potentially North Korean threat actors, is, is the the belief about who created this malware? So BeaverTail and InvisibleFerret are related malware that have been used on max to not only steal information, but to do some other things as well, they have the capabilities of, for example, key logging, keystroke logging, which we don’t see as much anymore on the Mac. But that is another thing that malware can do that obviously you don’t want it doing because, well, it can get things like your usernames and passwords as you type them in, and things like that. So So key logging and a number of other things besides just information stealing. So this is pretty sophisticated malware. At the time that it came out, this was fully undetected, at least as far as the major engines on virus total, which is a site that if you upload a malicious file. It’ll check it against about 60 different malware engines to see if any of them detect it, and at the time, it was not detected by most of them. Now that’s not to say that it wouldn’t have been detected once it got to a certain stage of execution. So for example, there are some behavioral detections that may not necessarily get picked up by virus total, but at least the files themselves were generally not detected at the time that this malware was first discovered.

Kirk McElhearn 25:29
So a keystroke logger records every key you type, so as you say, your username, your emails, your messages, et cetera. Can it also record items that are auto filled in your browser, such as when Safari auto fills your username and password or your credit card? That’s a good question.

Josh Long 25:44
I would say, not. It can’t necessarily get things from the auto fill. However, the Stealer component of it will probably be able to extract the data that’s set up as an auto fill data from your various browsers. So it’ll find another way to do it.

Kirk McElhearn 26:03
Okay. One last one. HZ RAT. It gives attackers back door access to Mac. Now, back doors are really serious. In fact, back doors are probably the most serious thing that can happen, because basically, someone remotely can connect to your computer and do anything they want, as if they’re sitting in front of your computer.

Josh Long 26:22
This particular RAT, or remote access Trojan, is interesting because it originated on Windows, and then it appears to have been ported to Mac now. HD rat is interesting because not only do we not see rats a lot on Macs, a couple of years, what was it two three years ago, at least, we did see several all in the same year. This year has DEF, or this past year, that is 2024. Has definitely been the year of the Stealer malware on the Mac. But in particular, I think it’s really interesting to see that, once again, Windows malware has been ported to Mac. We’ve seen this in the past. We see this every so often where some piece of malware that’s really prolific on Windows will eventually get ported to Mac as well. So just because you have a Mac does not mean that you’re immune to malware. In fact, it’s only really a matter of time before the bad guys just decide, okay, well actually, you know what? They’re about 10% of the of the computer market, I might as well target them too. Again, if they can, if they can make a profit off of you, which, again, even rats will often do things like stealing data from your computer. So if they can potentially use information on your computer to ransom you, or just to steal your wallets or or your passwords or other information that could be used to break into your other accounts, like your bank account, potentially, the bad guys are going to do whatever they got to do.

Kirk McElhearn 27:48
Okay, that’s enough for this week until next week. Josh, stay secure.

Josh Long 27:53
All right, stay secure.

Voice Over 27:55
Thanks for listening to the Intego Mac podcast. The voice of Mac security with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode be sure to follow us in Apple podcasts or subscribe in your favorite podcast app, and if you can leave a rating, a like or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.