Malware

In a recent article, we reflected on the top security and privacy news that impacted the Apple ecosystem in 2024. Today, it’s time to review the most notable Mac malware and iPhone malware campaigns of the past year—and even what could be considered the first Apple Vision Pro malware. We’ll also forecast what we can expect to see more of in 2025.

In this article:

• A chronological overview at 2024’s Mac and iPhone malware, by month
• Malware forecast for 2025
• How can I learn more?

Mac malware and iPhone malware chronology of 2024

Following are some notable events in macOS, iOS, and visionOS malware in 2024, broken down by month.

January

• SpectralBlur, a backdoor linked to North Korean threat actors, was discovered
• A new variant of the ZuRu backdoor was discovered in pirated Mac apps
• Atomic macOS Stealer (AMOS) spread via poisoned Google Ads

February

• Apple allowed a fake LastPass app called “LassPass” into the App Store; it was an iOS and iPadOS compatible app that could also run on macOS and visionOS; it’s therefore the first-ever malware for Apple Vision Pro, which debuted in February
• Apple allowed two fraudulent crypto apps into the App Store, mimicking Curve Finance and Rabbit Wallet; this reportedly led to more than $100K in stolen cryptocurrency
• PyStealer, Python-based stealer malware, was discovered, pretending to be a legitimate Mac app

March

• Apple allowed yet another fake cryptocurrency app, into the App Store, this time mimicking PancakeSwap
• An unethical app designed for movie piracy reached #2 in Entertainment in the U.S. App Store; this was a potentially unwanted app (PUA/PUP) from an unscrupulous developer, and may not have contained malware-like functionality; however, it demonstrated how careless Apple’s reviewers can be, and how Apple can directly profit from in-app purchases in criminal apps

April

• Stealer malware functionality was found embedded in CloudChat, a messaging app for Mac
• A new macOS variant of the LightSpy iOS implant was discovered
• Intego discovered several new AMOS stealer malware variants; these masqueraded as apps called File Juicer, Debit & Credit, an NFT trading card game called Parallel, and Notion

May

• Cuckoo AMOS malware masqueraded as Homebrew; Intego quickly discovered previously undocumented variants after the initial report surfaced

June

• Intego discovered a Trojan horse masquerading as Arc, the Web browser; this was an AMOS variant that included a unique AppleScript malware component
• Google admitted that nearly 1 in every 100 installations of Chrome browser extensions contains malware; not all of these malware threats necessarily impact Macs
• Poseidon infostealer malware also masqueraded as Arc, as well as AGOV Access—an app claiming to be affiliated with the Swiss government

July

• BeaverTail and InvisibleFerret APT malware were discovered; they were bundled with a Trojanized version of MiroTalk, a chat app

August

• CthulhuStealer malware-as-a-service surfaces (more info)
• TodoSwift, a Trojan horse for Mac disguised as a PDF, was discovered and linked to North Korean hacking groups (more info)
• Banshee Stealer, a new Mac stealer malware-as-a-service, was discovered
• HZ RAT, primarily known as Windows malware, was discovered to have a macOS variant

September

• Various macOS stealer variants surfaced
• A new RustBucket variant was discovered

October

• NotLockbit, Mac ransomware designed to look like LockBit, was discovered

November

• Intego reported on its discovery of over 99 unique samples of shell scripts associated with AMOS malware
• The Godot game engine was exploited to spread cross-platform malware; 17,000 systems were reported to have been infected; although macOS and iOS are potential targets, reports did not specifically mention Apple operating systems as having been infected

December

• Realst Stealer resurfaced, masquerading as videoconferencing apps using names like Meetio and Meeten, backed by an elaborate distribution campaign
• As of December 31, 2024, there were about 300 known fraudulent apps (including fake loan apps) in the iOS App Store; notably, this is based on only a single independent researcher’s volunteer work, which only focuses on Apple’s App Stores in eight countries, and does not focus on apps exclusively available in the macOS App Store

It’s important to note that the list above is just a small sampling of notable Apple malware that was reported publicly. Each month, Intego discovers and adds new detection for many, many new malware variants besides those that happen to get public write-ups.

Malware forecast for 2025

Given the continued rise in stealer malware in 2024, and the lack of mitigations for such threats, we expect this trend to continue well into 2025. Evidently, this malware is profitable enough for malware developers that they have increasingly focused their efforts on it, more than other types of malware.

As we recommended last year, browser makers should work together to identify better ways to safeguard browser data on the client side. And more importantly, Internet standards bodies should work with providers of Web services to validate that authentication cookies have not been stolen from a victim and reused by an attacker.

Due to the lack of changes recently to Apple’s app review and vetting processes, we fully expect to continue to see more fraud apps in the App Store. A recent development is that iPhone and iPad apps may be distributed outside of the App Store in the EU, in order for Apple to comply with the Digital Markets Act (DMA); this means that sideloaded apps, and apps obtained through third-party app stores, could potentially also be a new threat vector through which PUA or malware could make its way onto iPhones and iPads.

Each year we continue to see more macOS and iOS malware written by sophisticated and well-funded attack groups. And in 2024, there were once again reports about APT malware being discovered on targeted Apple users’ devices. We fully anticipate observing more Mac-targeted and iPhone-targeted APT malware surfacing throughout 2025.

How can I keep my Mac safe from malware?

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate all of the malware covered in this write-up, and a lot more.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.

How can I learn more?

We discussed this topic on episode 378 of the Intego Mac Podcast.

For additional details about some of the Mac malware of 2024, you can read Patrick Wardle’s write-up.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:       

About Joshua Long