Welcoming Apple to the Malware Party

Written by

While Apple may benefit from its increasing market share, this may give rise to increased attention by black hats
While Apple may benefit from its increasing market share, this may give rise to increased attention by black hats

As sales of the Apple iPhone and iPad continue to skyrocket, and the lightweight MacBook Air continues to gain traction, the Mac operating system (OS), not surprisingly, is becoming an increasingly more attractive target for malware writers. Security experts, however, say the Windows OS still remains at high risk for viruses, and what it all boils down to in the minds of hackers is where they can get the most bang for their buck.

“It used to be that Windows pretty much had the market for [attracting malware] and when you’re a virus writer you think, ‘How can I maximize the return on my investment?’”, says Steve Santorelli, director of global outreach for Team Cymru, a not-for-profit internet research company. “I’m not going to write a virus that’s just going to infect five percent of the world’s operating systems”, which was the market share Apple once held, he says. “It’s about money, not for notoriety.”

But the balance is now shifting. Apple now has an estimated 10% of the world’s computer market, motivating malware writers to write viruses for the Mac OS more frequently, says Santorelli, who previously worked with Scotland Yard’s Computer Crime Unit and at Microsoft. “It comes down to economics – it now makes economic sense to turn the attention to the Mac OS because there are so many more Mac operating systems out in the world to be infected.”

Malware Goes Mobile

As technology shifts toward mobile this year, attention must be paid to mobile devices, says Santorelli, especially given their growing popularity in the workplace. “Now everyone has massively shifted to mobile technology and doing things on their smartphones, and you’ve got these devices being taken into corporate networks”, he says. “People haven’t gotten their heads around the fact that viruses exist on mobile devices.”

Right now, though, the “underground economy” appears to be targeting Android devices for malware, he says, looking at ways to harness new technologies like Google Wallet, which lets Android smartphone users swipe the device over a reader to make purchases.

From a statistics standpoint, Santorelli says there were approximately 100 Android infections in 2011 and none in the Apple market.

David Harley, a researcher for IT consultancy Small Blue-Green World and the Mac Virus website, says he doesn’t expect the Mac to attract “more than a tiny fraction of the malicious attention that Windows does”.

Harley, too, believes the main attack focus will move to mobile devices, notably the Java and Android platforms. “While I think OS X malware is a long-term trend, I doubt if it will be a dramatic shift like the switch from DOS viruses to Windows malware, for instance”, he says. Chris Clymer, a manager of advisory services at information security consulting firm SecureState, also believes there will be a shift toward targeting iOS. He declares it “a stripped down version of OS X that has many of the same vulnerabilities”, and claims that iOS device deployment will continue to grow significantly, more so than OS X desktops and laptops.

There is even a forthcoming book due out in mid-2012 detailing the security issues facing iOS5 – the most recent version of Apple’s mobile operating system. Titled iOS Hacker’s Handbook, it is written by a team of authors including Charlie Miller, who is known for his work in recent years hacking into MacBooks, including a patched Macbook machine using a Safari code execution vulnerability.

Windows vs. Mac vs. Linux vs. Chrome

Industry observers insist the Mac architecture is no more secure than Windows, Linux or even Chrome. Clymer says that arguably, depending on how Windows and Linux are configured, “OS X could be said to be less secure than Linux or Windows, especially out of the box”, since “Apple’s goal is to sell a user experience”. To provide that user experience, Apple has made concessions around security, he says. As an example, he mentions turning off the firewall in OS X to make it easy for iTunes users to play music back and forth on various devices. He adds that Apple has good security tools, but the user needs to know to turn them on because many are not on by default.

Another example Clymer points to is a setting within Apple’s Safari browser – known as Safe Files – that is enabled by default, causing all files considered safe to be opened automatically once they are downloaded. That is convenient from a usability standpoint, he notes, but not from a security perspective, as files are not scanned and code is automatically executed on a machine, potentially compromising the system.

“In the Windows world, you will typically have a Symantec or McAfee product that will scan the file before it downloads or it doesn’t load automatically and you can execute it later”, Clymer observes. “So again, Apple is making choices for usability. It’s not that [a Mac] can’t be configured securely, it’s about the default.” While Microsoft has long been blasted for its record with vulnerabilities in the OS, the flip side is that it has become very responsive to fixing flaws, he says.

"While I think OS X malware is a long-term trend, I doubt if it will be a dramatic shift like the switch from DOS viruses to Windows malware"
David Harley, Mac Virus

Santorelli concurs that unlike Apple, “Microsoft turned on a lot of security features by default; that’s a big shift because you used to have to go in and turn those on”. He adds, though, that there are still a lot of XP users who haven’t updated their operating systems and don’t have firewalls.

Historically, Macs have been significantly safer than PCs, but the gap is quickly shrinking, claims Andrew Schrage, co-owner of Money Crashers Personal Finance, a website that uses both Macs and PCs. Echoing the others, Schrage says Windows has made strides toward becoming even safer, especially with the advent of
Windows 7, “which is significantly more secure than previous versions. Linux, due to its barebones operating system and software, is likely the most secure of all.” Because it is a much less complex system geared primarily at computer programmers, Linux has fewer loopholes that hackers can exploit, he says. Chrome has shown to be “formidable on the security front”, but because it is still so new, hackers have not yet uncovered security flaws, Schrage says.

Regardless of the operating system being used, Santorelli maintains there will always be vulnerabilities in any internet-connected machine. “There’s a fundamental dichotomy of usability versus security”, he observes. “You want a system to be nice and secure and difficult to compromise, but at the same time you want to make it easy for a legitimate user to log in and do things.” Many of today’s vulnerabilities have nothing to do with the OS, but rather an attack on the application, he says.

When he is asked what browser to use, Santorelli responds that it doesn’t really matter, as long as it is up to date. “A lot of people are still using [Internet Explorer] 6, and that’s not a good thing.”

Harley also points out that while most high-profile exploits tend to be aimed at Windows and generally have had more impact than any OS X vulnerability so far, social engineering tactics exploit the user rather than the system, and tend to be platform-neutral. A wide range of technical threats are also platform-neutral, he notes. “While macro viruses are pretty much dead, exploitation of other vulnerable apps – think Java, Adobe, etc. – is on the up, and we’re starting to see a trickle of ported Linux threats”, Harley says.

Modern browsers have much better protection and anti-phishing technology, Santorelli confirms. Apple is also using sandboxing, a computer program that works in “a tiny jail cell that can’t break out and infect the rest of your computer”, he explains. “It’s contained and constrained, and that’s a very strong infosecurity counter to malware.” Another challenge for malware writers targeting OS X/iOS, he says, is that Apple does a lot of human checking of apps before they go into Apple store.

Mac and Security Tools

The question of whether security tools are necessary for the Mac depends on a number of factors, including a company’s risk profile, observers say. “If you are head of the accounts department for a Fortune 400 company, then you have to do everything you can to minimize your exposure”, says Santorelli. “If you are someone who basically uses a laptop for posting Facebook updates, perhaps your risk is a little less.” Santorelli says he has encryption on his own Macs and would never discourage anyone from putting a security tool on their machine. “It’s good to be paranoid and to have as much security as you can these days.”

Harley also believes deploying security tools on a Mac depends on how the system is being used. While he maintains that the percentage of malware on Macs is “no big deal”, he adds that “if it’s your system that’s compromised, one infection is too many”.

"It now makes economic sense to turn the attention to the Mac OS because there are so many more Mac operating systems out in the world to be infected"
Steve Santorelli, Team Cymru

Schrage believes unequivocally in security tools for the Mac, saying that he previously did not use any on his machines, which left him open to many security threats. “It is only a matter of time before hackers direct more of their efforts toward Macs, especially as their popularity continues to soar.” That view is also shared by Clymer, who says that out of the box, the configuration of OS X is less secure because it is a Linux-based system. “A lot of tools we’ve leveraged on Linux can be leveraged on Apple; they’re just not included by default…and are not necessarily the most user-friendly”. Anti-virus on the Mac platform, he concludes, is fairly immature”.

The main lesson for Mac users, who industry watchers say can be somewhat naïve about security, is that contrary to popular belief, they are not immune from attacks. “They feel…that any sort of security tool is just unnecessary”, says Schrage. “Unfortunately, the belief that Macs are less vulnerable from a security perspective is much more myth than fact.”

What’s hot on Infosecurity Magazine?