Malware

The Top 10 Mac and iPhone Malware of 2024’s First Quarter

Posted on by

It’s a common misconception that there is no real malware for Macs or iPhones. Apple might hope that its users will bury their heads in the sand and pretend that’s true. But it simply isn’t.

Let’s take a look back at recent trends and specific examples of malware and potentially unwanted apps (PUA). We’ll cover the months of January through March, the first quarter of 2024.

In this article:

SpectralBlur Mac APT malware kicked off 2024

Just a few days into 2024, researchers warned about SpectralBlur: advanced persistent threat (APT)  malware attributed to Bluenoroff (also known as APT38 or Stardust Chollima), a reportedly North Korean APT group. (Although the malware technically surfaced around August 2023, it went undiscovered until early January 2024. We’re including it here for the sake of completeness.)

As is typical of APT malware, SpectralBlur is backdoor malware. A remote threat actor could use it to exfiltrate data, download additional code to add capabilities, and effectively take complete control of an infected Mac.

Intego reported about SpectralBlur in episode 326 of the Intego Mac Podcast.

Technical details: Analyzing DPRK’s SpectralBlur

Backdoor Activator Mac malware distributed via infected BitTorrents

Throughout January and February, researchers observed a widespread campaign to disseminate a Mac backdoor called “Activator.” The malware, as the name suggests, is a Trojan horse that claims to “activate” (crack) a pirated app illegally obtained via BitTorrent. The malware distributor took the time to bundle more than 70 different apps with the Trojan horse Activator app.

If a victim runs the Activator app, it installs a backdoor along with a LaunchAgent so it can relaunch itself automatically whenever the Mac reboots. It may attempt to steal cryptocurrency wallets, among other things; backdoors can allow a threat actor to send remote commands, including using infected computers for distributed attacks as part of a botnet.

We discussed the Activator malware on episode 334 of the Intego Mac Podcast.

RustDoor Mac backdoor malware distributed via fake job offers

Yet another recent family of backdoor Mac malware is RustDoor. First distributed around October or November 2023, RustDoor is believed to have spread via Trojan horses disguised as job offers. Researchers first published details about RustDoor in early February 2024.

RustDoor is designed to collect data from a victim’s Mac and exfiltrate it to a command and control (C&C or C2) server. The malware’s authorship has been attributed to a ransomware gang known as ALPHV, BlackCat, or Noberus.

Intego reported about RustDoor in episode 331 of the Intego Mac Podcast.

Technical details: New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group

Stealer malware continues to be a major problem

One of the main categories of malware we’re seeing on the Mac this year is stealer malware (as we predicted in our 2023 malware roundup). The volume of samples has sharply increased, which suggests that stealer malware is becoming a bigger problem than ever.

Stealer malware is typically designed to gather and exfiltrate sensitive data from a victim’s computer. Such data may include, for example: passwords, browser autofill data, session cookies, and cryptocurrency wallets.

Back in February, we wrote about a recent distribution campaign for Atomic macOS Stealer (AMOS) malware. Threat actors paid for sponsored ads, gaining (what appeared to be) the top position in Google search results. The ads mimicked how the real company would have appeared, so victims were unaware that they were clicking on a malicious link and ultimately downloading malware. Threat actors disguised the malware as the app that the victims thought they were downloading.

In other cases, recent stealer malware appears to be a more generic Trojan horse, such as a supposed crack installer. Cracks are piracy-enabling software; they purportedly unlock the full feature set of commercial software without paying for a license. In reality, “cracks” are often just malware in disguise.

Main article: Atomic Stealer (AMOS) Mac malware spreads via malicious Google Ads

Atomic Stealer (AMOS) Mac malware spreads via malicious Google Ads

Apple’s App Store continues to welcome fraudulent, illegal content

Fake LastPass password manager

Throughout the year to date, we’ve continued to see many examples of fraudulent or overtly illegal apps making their way into the App Store. These are typically iPhone apps—which can sometimes also run on iPads, Macs, and even Apple Vision Pro.

One notable example was a fake LastPass Password Manager app; its creator evidently designed it to steal victims’ passwords. It may have first appeared in the App Store as early as January 16, but users first began to report it as fake on February 4. The real LastPass company wrote a blog post about it on February 7. After another day had passed without Apple taking any action, Intego wrote about it on February 8, and Apple finally removed it from the App Store several hours later.

Main article: Apple distributed a fake LastPass Password Manager in the App Store

Apple distributed a fake LastPass Password Manager in the App Store

Fake crypto apps steal hundreds of thousands of dollars

Later in February, we reported about two fraudulent cryptocurrency finance apps that used the actual names and very similar logos to real companies: Curve Finance and Rabby Wallet. At the time, neither company had a legitimate app in the App Store—although, in an ironic twist, the forthcoming real Rabby Wallet app was awaiting Apple’s review at the time Apple approved the fake app.

According to reports, the fake Rabby Wallet app stole more than $100,000 from victims who thought it was the real app. Fake crypto apps typically ask victims for their seed phrase; when the threat actors obtain this, they drain all assets from the wallet.

Main article: Apple distributed fake crypto finance apps in App Store, leading to $100K losses

Apple distributed fake crypto finance apps in App Store, leading to $100K losses

Apple also recently approved a fake PancakeSwap cryptocurrency app in the App Store—which marks at least the third time a fake app has mimicked this company.

On March 11, AppleInsider reported about yet another fake crypto wallet app, “Leather Wallet & Hiro Bitcoin,” that allegedly stole more than $120,000 worth of cryptocurrency from a single victim. Intego reported on this in episode 335 of the Intego Mac Podcast.

Video piracy apps are the hot new thing in the App Store

To add insult to injury, Apple also began allowing TV and movie piracy apps into the App Store in March. The first one that made headlines achieved a top ranking of #2 in the Entertainment category and #18 in the Top Free category in the U.S. store. Apple may have directly profited from the app, which contained in-app purchases that supposedly removed ads or allowed the user to “tip” the developer.

Main article: Apple let a movie piracy app reach #2 in Entertainment in the U.S. App Store

Apple let a movie piracy app reach #2 in Entertainment in the U.S. App Store

On March 25, the same researcher who discovered the first piracy app also found two more apps distributing pirated content. Then, on March 28, the researcher discovered three more. While Apple has since removed the duo, the trio of piracy apps is still in the App Store as of when this article is being published.

While piracy apps aren’t necessarily malware, we consider them potentially unwanted apps (PUAs, also called potentially unwanted programs or PUPs). And that isn’t merely because the apps are specifically designed to violate laws. Given the questionable ethics of the developers, and Apple’s inability to filter out policy- and law-violating content, it isn’t worth the risk to install such apps in case they may contain other unwanted or malicious behaviors.

Other interesting malware

A malicious “updater” Trojan horse

In mid-February, Mac malware researchers encountered a corrupt (due to a revoked signature) DMG disk image file. If mounted or extracted, the DMG contained a nondescript AppleScript app called “Updater.”  This app would attempt to download and install a LaunchDaemon as a method of persistence, so it could run itself again after an infected Mac rebooted. It would also open a reverse-shell connection. The threat actor who developed the app would then have full access to the infected Mac.

Calendly links used to distribute AppleScript Trojans

In late February, journalist Brian Krebs wrote about an interesting Mac malware campaign. Threat actors apparently sent calendar invites via Calendly to people interested in technologies such as blockchains, crypto, fintech, and Web3. The custom links in the Calendly scheduler may trick the user into running a malicious AppleScript, which can then obtain a second-stage payload from a remote server.

In the specific incident about which Krebs wrote, the victim was unable to recover the second stage payload; however, we can speculate based on similar past malware campaigns that the next stage was likely a cryptocurrency stealer.

We discussed the “calendar malware” on episode 334 of the Intego Mac Podcast.

The i-Soon data leak included Mac and iPhone malware

A few days later, a number of alleged “internal Chinese government documents” were leaked to GitHub. This became known as the iSoon data leak (also spelled i-Soon, i-S00N, or Anxun). Among the interesting tidbits were documentation about custom Mac and even iPhone malware. The iPhone version somehow allegedly worked without a jailbreak, presumably by exploiting an iOS vulnerability or a chain of vulnerabilities.

Intego reported on the i-Soon data leak story in episode 332 of the Intego Mac Podcast.

Global police operation disrupts LockBit ransomware gang

Though not explicitly related to new Mac malware in 2024, it’s worth noting that a coordinated multi-agency operation from ten countries took action to disrupt LockBit, a major ransomware group. In April 2023, researchers found a sample that suggested that LockBit was developing a macOS variant. We reported on this takedown operation in episode 332 of the Intego Mac Podcast as well.

How can I keep my Mac safe from malware?

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware like those described in this article.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.

How can I keep my iPhone safe from malware?

Apple has not allowed antivirus apps in the iOS App Store since 2015. However, there are ways to protect your iPhone from malware and fraudulent apps.

To protect your iPhone from advanced threats (i.e. if you think you may be targeted by nation-state level threat actors), the best thing to do is enable Lockdown Mode. It will disable some standard iPhone features and functionality, but that’s the point; it reduces the attack surface, making it harder for attackers to exploit vulnerabilities and infect your iPhone.

If you’re concerned about fraudulent and unethical apps, try to stick to major apps from well-known developers, and stay up to date on the latest scam apps by following Intego on social media, checking this blog, and subscribing to our free e-mail newsletter.

Or, if you’re concerned about possibly having downloaded malicious files onto your iPhone, Intego’s got you covered. One of Intego VirusBarrier X9’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.

In summary: Trojans, backdoors, stealers, and fraud apps galore

Much of the first-stage malware we’ve observed this year could fall into the categories of Trojan horses of various kinds. In many cases, the first stage installs backdoor malware. It may also install stealer malware that seeks to harvest and exfiltrate sensitive or valuable data; crypto wallets, passwords, and authentication cookies are prime targets.

Since Apple’s efforts to protect Macs and iPhones are evidently quite porous, we strongly recommend using a trusted antivirus suite like Mac Premium Bundle X9, which includes Intego VirusBarrier, to keep your Mac better protected from malware threats.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →