One of the more significant Mac malwares introduced in 2017 is Proton RAT, which exfiltrates password data from sources such as the macOS keychain, 1Password vaults, and browser auto-fill data.
One of the more significant Mac malwares introduced in 2017 is Proton RAT, which exfiltrates password data from sources such as the macOS keychain, 1Password vaults, and browser auto-fill data.

More new Mac malware families have already emerged in 2017 than in any previous year, a new analysis shows, further proving that safety is not guaranteed just because one uses a Mac device instead of a Windows one.

In fact, Mac devices saw more new or significantly evolved malware families (17) in the first half of the year than they did in all of 2016, according to data collected by Malwarebytes, which published its findings in a report detailing Mac and Android malware trends.

"What a lot of Mac experts will tell you even today is, 'Macs don't get viruses... You just need to be careful with what websites you go to. And that's not really good advice anymore, if it ever was," said Thomas Reed, director of Mac and mobile at Malwarebytes, in an interview with SC Media.

Among the more significant new Mac malware entries, Malwarebytes notes, is Proton RAT, a trojan that exfiltrates password data from sources such as the macOS keychain, 1Password vaults, and browser auto-fill data. Apple disclosed Proton as a threat in February 2017, around the same time that web monitoring company Sixgill found an early version of the malware featuring various spyware and phishing capabilities in a Russian cybercrime forum. Then in May 2017, attackers replaced an installation package for open-source digital video file transcoder HandBrake with Proton in order to infect Mac users with a more recent variant. "The most frightening aspect of this event was how many experienced, security-minded people were either infected or nearly infected," the Malwarebytes report states.

Based on its analysis, Malwarebytes predicts that Mac users in 2018 will be especially plagued by Potential Unwanted Programs (PUPs), which Reed said have already become a nuisance this year, filling the Mac App Store's pages of adware and fake anti-virus products.

"The fact they have spread into the Mac App Store [is] very concerning because that was supposed to be one of the last bastions of safe software downloads, and it's not actually so safe anymore," said Reed. "These are not well controlled by Apple and not commonly known of even within the security community.

Reed said that many anti-virus PUPs, especially the free ones, "will often tell you that you have to go and download some other app to clear up your machine, and that app will not be free. And worse, these paid apps don't actually do what they claim to do."

As for Android systems, Malwarebytes has observed a 137.8 increase in screen locker ransomware from Q1 to Q2. Fortunately, said Reed, Google is introducing new protections into its forthcoming Android Oreo operating system, that will makes render many screen lockers ineffective. “One of the big features of Android Oreo is it's going to prevent apps from taking over the screen, so that will really address the screen locker issue in large part,” said Reed.

In the first half of 2017, three malware families, Jisut and SLocker and Koler, compromised nearly 95 percent of ransomware detected on Malwarebytes-protected Android devices, with Jisut alone making up 60 percent of detections. "These threats are typically distributed to Android mobile users masked as fake software updates or they are bundled in infected applications," the report explains.

Android malware detections in general increased 5.5 percent from Q1 to Q2, largely to due to an increase in the detection of trojans, which can include ransomware, banking malware and backdoor programs. Trojans were responsible for 48.4 percent of Malwarebytes' Android malware detections in the first half of the year, with PUPs comprising another 47.1 percent of detections over the same time period.

In its report, Malwarebytes said it foresees an increase in hidden advertising and click fraud malware in 2018, as well as a rise in ransomware actually introduces legitimate encryption functionality into their attacks. "Most ransomware on Android has not used encryption, but... that will change in order for attackers to keep their revenue stream active," the report states.

"This really just follows ransomware's similar evolution on Windows," Reed added.