Ever wonder what malware macOS can detect and remove without help from third-party software? Apple continuously adds new malware detection rules to Mac’s built-in XProtect suite. While most of the rule names (signatures) are obfuscated, with a bit of reversing engineering, security researchers can map them to their common industry names. See what malware your Mac can remove below!
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
XProtect, Yara rules, huh?
XProtect was introduced in 2009 as part of macOS X 10.6 Snow Leopard. Initially, it was released to detect and alert users if malware was discovered in an installing file. However, XProtect has recently evolved significantly. The retirement of the long-standing Malware Removal Tool (MRT) in April 2022 prompted the emergence of XProtectRemediator (XPR), a more capable native anti-malware component responsible for detecting and remedying threats on Mac.
The XProtect suite utilizes Yara signature-based detection to identify malware. Yara itself is a widely adopted open-source tool that identifies files (including malware) based on specific characteristics and patterns in the code or metadata. What’s so great about Yara rules is any organization or individual can create and utilize their own, including Apple.
As of macOS 14 Sonoma, the XProtect suite consists of three main components:
- The XProtect app itself, which can detect malware using Yara rules whenever an app first launches, changes, or updates its signatures.
- XProtectRemediator (XPR) is more proactive and can both detect and remove malware by regular scanning with Yara rules, among other things. These occur in the background during periods of low activity and have minimal impact on the CPU.
- XProtectBehaviorService (XBS) was added with the latest version of macOS and monitors system behavior in relation to critical resources.
Unfortunately, Apple mostly uses generic internal naming schemes in XProtect that obfuscate the common malware names. While this is done for good reason, it creates a challenging task for those curious to know exactly what malware XProtect can identify.
For example, some Yara rules are given more obvious names, such as XProtect_MACOS_PIRRIT_GEN, a signature for detecting the Pirrit adware. However, in XProtect, you’ll largely find more generic rules like XProtect_MACOS_2fc5997 and internal signatures that only Apple engineers would know, like XProtect_snowdrift. This is where security researchers like Phil Stokes and Alden come in.
Phil Stokes with Sentinel One Labs manages a handy repository on GitHub that maps these obfuscated signatures used by Apple to more common names used by vendors and found in public malware scanners like VirusTotal. Moreover, Alden has recently made significant advancements in understanding how XPR works by extracting Yara rules from its scanning module binaries.
What malware can macOS remove?
While the XProtect app itself can only detect and block malware, it comes down to XPR’s scanning modules for removal. Currently, we can identify 14 of the 23 remediators in the current version of XPR (v133):
- Adload: Adware and bundleware loader targeting macOS users since 2017. Adload was capable of avoiding detection before last month’s major update to XProtect that added 74 new Yara detection rules all aimed at the malware.
- BadGacha: Not identified yet.
- BlueTop: “BlueTop appears to be the Trojan-Proxy campaign that was covered by Kaspersky in late 2023,” says Alden.
- CardboardCutout: Not identified yet.
- ColdSnap: “ColdSnap is likely looking for the macOS version of the SimpleTea malware. This was also associated with the 3CX breach and shares traits with both the Linux and Windows variants.” SimpleTea (SimplexTea on Linux) is a Remote Access Trojan (RAT) believed to have originated from the DPRK.
- Crapyrator: Crapyrator has been identified as macOS.Bkdr.Activator. This is a malware campaign uncovered in February 2024 that “infects macOS users on a massive scale, potentially for the purpose of creating a macOS botnet or delivering other malware at scale,” states Phil Stokes for Sentinel One.
- DubRobber: A troubling and versatile Trojan dropper also known as XCSSET.
- Eicar: A harmless file that is intentionally designed to trigger antivirus scanners without being harmful.
- FloppyFlipper: Not identified yet.
- Genieo: A very commonly documented potentially unwanted program (PUP). So much so that it even has its own Wikipedia page.
- GreenAcre: Not identified yet.
- KeySteal: KeySteal is a macOS infostealer initially observed in 2021 and added to XProtect in February 2023.
- MRTv3: This is a collection of malware detection and removal components grandfathered into XProtect from its predecessor, the Malware Removal Tool (MRT).
- Pirrit: Pirrit is a macOS Adware that first surfaced in 2016. It’s known to inject pop-up ads into web pages, collect private user browser data, and even manipulate search ranking to redirect users to malicious pages.
- RankStank: “This rule is one of the more obvious, as it includes the paths to the malicious executables found in the 3CX incident,” says Alden. 3CX was a supply chain attack attributed to the Lazarus Group.
- RedPine: With lower confidence, Alden states RedPine is likely in response to TriangleDB from Operation Triangulation.
- RoachFlight: Not identified yet.
- SheepSwap: Not identified yet.
- ShowBeagle: Not identified yet.
- SnowDrift: Identified as CloudMensis macOS spyware.
- ToyDrop: Not identified yet.
- Trovi: Similar to Pirrit, Trovi is another cross-platform browser hijacker. It’s known to redirect search results, track browsing history, and inject its own ads into search.
- WaterNet: Not identified yet.
How do I find XProtect?
XProtect is enabled by default in every version of macOS. It also runs at the system level, completely in the background, so no intervention is needed. Updates to XProtect also happen automatically. Here’s where it’s located:
- In Macintosh HD, go to Library > Apple > System > Library > CoreServices
- From here, you can find remediators by right-clicking on XProtect
- Then click Show Package Contents
- Expand Contents
- Open MacOS
Note: Users shouldn’t rely entirely on Apple’s XProtect suite, as it’s made to detect known threats. More advanced or sophisticated attacks could easily circumvent detection. I highly advise the use of third-party malware detection and removal tools.
About Security Bite: Security Bite is a weekly security-focused column on 9to5Mac. Every week, Arin Waichulis delivers insights on data privacy, uncovers vulnerabilities, and sheds light on emerging threats within Apple’s vast ecosystem of over 2 billion active devices. Stay secure, stay safe.
More in this series
FTC: We use income earning auto affiliate links. More.