A new wave of AdLoad malware targeting macOS devices was described by Sentinel Labs – malware that Apple’s security software XProtect fails to detect.
Apple protects its users from malware
Malware (malicious software) on macOS is real and Apple has done a lot to protect Mac users against it (Protecting against malware in macOS). But the creators of dangerous programs continue to adapt and innovate.
AdLoad is a widespread family of malware that attacks macOS computers. It’s been around for a few years, at least since 2017. But, according to SentinelOne, the infections are speeding up in August 2021.
AdLoad trojans infect Macs and then download adware on them. This adware can be an app or a browser extension:
- it can inject ads into websites and open unwanted sites,
- it can spy on users as they’re browsing the web and log personal information,
- AdLoad trojans can cause problems with internet connectivity and make some apps unstable.
Apple tries to stop malicious apps from running: it warns you if you try to run an app from outside the App Store and it requires apps to be notarized (checked by Apple and confirmed to not be malicious). Gatekeeper warns about software that’s not notarized, letting users know that it might not be trustworthy.
XProtect is Apple’s antivirus security meant to stop malware if it runs on a Mac. XProtect is updated regularly, independently from System updates. To make sure no malware goes undetected, XProtect scans apps when they’re launched and when XProtect is newly updated.
Adware infects Macs despite built-in security
However, XProtect uses signatures to detect malware. New variants of AdLoad are released often with new signatures. It takes time for these trojans to be noticed and for Apple’s antivirus to be updated. In fact, XProtect often takes weeks to get a new update (for example, from 17 December 2020 to 25 January 2021). In that time, new AdLoad variants infect more Macs.
AdLoad trojans spread with fake Flash Player installers and updates. These installers are advertised online, often on illegal movie streaming sites. Users allow these AdLoad trojans to be installed because they believe them to be Flash Player or other reputable software.
Once installed, AdLoad trojans are very persistent. They run when the user logs in and they can reinstall adware apps even if the user deletes them. A macOS user describes such a situation in a post on Discussions.apple.com.
AdLoad trojans hide in Library folders that are hidden by default, in subfolders that are also hidden. This makes it difficult to find and delete them.
Luckily, macOS does often flag AdLoad trojans, showing a security warning that an app “will damage your computer”. Here are some reports from macOS users on Discussions.apple.com: thread 1, thread 2. But trying to remove AdLoad with the help of this alert doesn’t always work.
In summary, this is the problem:
- AdLoad is a dangerous trojan that spreads effectively and causes lots of problems to macOS users,
- XProtect, which is supposed to be Apple’s antivirus security, still doesn’t detect hundreds of variants of AdLoad.
Luckily, there are ways to manually delete AdLoad trojans and the adware infections that they install (How to Remove MapperState). Third-party antivirus apps can also help. But a lot of users trust Apple’s products to be impervious to infections, so they might not take their cybersecurity as seriously as they probably should.