The Mac Security Blog

Malware

Apple security in 2019: year in review

Posted on by

Apple Security 2019 Year in Review

Computer security is constantly evolving, as new issues and vulnerabilities are discovered, as new software and devices are deployed, and as hackers figure out new ways to get around barriers.

Some security and privacy threats change over time. Ten years ago, we didn’t have to worry much about Internet of things (IoT) devices or data breaches, let alone hardware and even CPU architecture vulnerabilities like Spectre and Meltdown; we continued to see the emergence of similar discoveries and a continuance of these trends throughout 2019.

One thing that hasn’t changed over the past decade is that some Mac malware continues to disguise itself as Flash Player updates, even though Adobe is abandoning Flash at the end of 2020. Perhaps the fake-Flash malware trend will finally die toward the end of this year; time will tell.

Here is an overview of the main issues that affected Apple products and software in 2019:

  • Vulnerabilities and security updates
  • Malware—more than a dozen unique Mac threats
  • Data breaches
  • Phishing, fraud, and scams
  • Facebook failures
  • Internet of things issues

Vulnerabilities and security updates

Many, if not most, of the vulnerabilities and bugs affecting hardware and software security get patched by the companies that make these devices and programs, and Apple is fairly aggressive about supplying updates. These updates help ensure that you won’t be affected by rogue software or network attacks that try to exploit weaknesses.

In 2019, Apple issued a total of 102 updates containing security fixes (many of which patched numerous vulnerabilities) covering all its supported platforms, including macOS, iOS, watchOS, tvOS, and, starting in the fall, iPadOS. There were also security updates for iCloud and iTunes for Windows, for Xcode (Apple’s app development software), and for a few other apps (such as Shazam and Texture, both recent Apple acquisitions). Interestingly, there were even updates for discontinued AirPort Wi-Fi devices. You can see a list of all Apple security updates on this Apple support page.

Many of these updates fixed vulnerabilities that were present across multiple Apple operating systems, since the core underpinnings of macOS, iOS, iPadOS, watchOS, and tvOS are the same. When updates are available for one of your Apple devices, you should check for and apply updates on all of your Apple devices as soon as possible. It’s a good idea to have all of your devices automatically check for and alert you to updates when they become available.

One notable fix was made for an issue where someone could call you and and spy on you with FaceTime, even if you ignored or declined their call. After the issue was discovered in January, Apple quickly made a temporary fix on their servers to prevent all Group FaceTime calls, then later issued a software update to fully address the issue. Later in the year, the secure messaging app WhatsApp was found to have a similar but much more severe vulnerability, which allowed nation-state attackers to install spyware by simply initiating a WhatsApp call, even if the user did not answer.

SPOILER was an Intel processor vulnerability disclosed in March, similar in nature to the Meltdown and Spectre vulnerabilities, that exploited a speed-enhancing hardware feature called speculative execution to access sensitive data. In May, another Intel processor vulnerability, dubbed ZombieLoad, was disclosed to the public.

Here on The Mac Security Blog, we covered some of the highlights of various Apple security updates throughout the year, and we discussed many other vulnerabilities on various episodes of the Intego Mac Podcast.

Malware—more than a dozen unique Mac threats

Mac malware isn’t going away any time soon, and 2019 was another busy year for Mac malware analysts.

Mac users were under attack by fake Adobe Flash Player malware, OSX/Shlayer, which resurfaced in the VeryMal campaignA malware campaign dubbed VeryMal, discovered in January 2019, leveraged an ancient technique called steganography—the hiding of secret information in plain sight—to distribute new variants of the OSX/Shlayer Mac malware; Shlayer was first discovered by Intego in 2018. The VeryMal campaign used some cleverly crafted JavaScript code to look for secret information stored within a seemingly innocuous JPEG image file. The hidden data would tell the computer where to go to find and download the malware. Merely viewing an image in a browser could lead to an infection.

A lot of new malware was discovered around June 2019. Intego discovered OSX/Linker, which was designed to bypass Gatekeeper and avoid Apple’s built-in security checks that are supposed to block known malware and unauthorized developers. Linker made it easier for malware to infect a Mac, even if it has a built-in signature that’s supposed to protect your Mac from that malware.

Days after discovering the first samples of OSX/Linker, Intego also discovered OSX/CrescentCore in the wild. Although on the surface it appeared to be an installer for Adobe Flash Player, it contained hidden capabilities in an effort to make it more difficult for antivirus software to detect, and more difficult for malware analysts to examine and reverse engineer. The first variant discovered by Intego was found on a rogue comic book site purporting to offer free digital downloads of the latest comic books, and the second variant was found distributed through a high-ranking link in Google search results.

In June, Intego was also the first to detect OSX/NewTab, malware that attempted to inject tabs into the Safari browser.

Still more malware was discovered in June. A zero-day vulnerability in Firefox was leveraged by attackers to spread multiple types of Mac malware, such as OSX/Netwire (a successor to the years-old OSX/NetWeirdRC) and OSX/Mokes. Meanwhile, a surreptitious cryptocurrency miner—software that attempts to use your computer to generate digital money for an attacker—dubbed OSX/LoudMiner (aka OSX/BirdMiner) was found in some pirated VST audio software installers.

Although that may seem like a lot (especially given the commonly held myth that Macs don’t get malware), that’s not even an exhaustive list of all the new malware and variants that we observed in 2019. Other Mac malware seen throughout 2019 included CookieMiner, Siggen, and various malware associated with the Lazarus Group (including Yort, Yort.B, GMERA, Lazarus Loader, and a new AppleJeus variant).

Naturally, Mac users running Intego VirusBarrier X9 are protected from all this malware.

Data breaches

In recent years, data breaches have increased in frequency and severity, as huge amounts of user data is concentrated, and as companies may not always use the strictest security to protect this data.

Your identity is worth money. Not only for advertisers, but for malicious cybercriminals who want to get hold of your usernames and passwords to access your accounts. One reason that data breaches are so serious is that many people reuse the same credentials on multiple accounts. So if a cybercriminal gets ahold of a user’s username and password from some small website, if the user has reused these same credentials elsewhere, anyone with this data could get into their Facebook, Twitter, or Instagram accounts—or even their email accounts, which is quite dangerous because most password-reset mechanisms send an e-mail to the account on file.

Collection #1, #2, #3, #4, #5, Zabugor, and Anti Public Combo List password data breaches

As just one notable example, in January a huge data dump was found. Called Collection #1—because other collections would follow—this was the largest such data dump to date, with 2.7 billion records, including 1.2 billion unique email address and password combinations, 773 million unique email addresses, and 21 million unique passwords in plain text. This data had been aggregated from multiple small and large breaches, and was available to hackers around the world. We discussed Collection #1 (and various other data breaches throughout the year) on the Intego Mac Podcast.

Intego provides a thorough how-to article called “How to avoid getting hacked after data breaches,” because these breaches have become so common.

Phishing, fraud, and scams

One of the more serious threats is phishing. This is when you get an email that seems to be real, telling you that you need to log into an account on a website. Typically, you click a link and enter your credentials, but the site is fake, and now someone can access your email account, Facebook account, or even your Apple ID account.

One recurring case of fraudulent email stood out this year: these were emails purportedly from a CIA agent saying that you had been accessing child porn. These weren’t actually phishing, at least not in the sense that you click a link to go to a website; these emails instructed you to send money in Bitcoin, something that most people wouldn’t know how to do, but which is anonymous.

Phishing and other email scams are common, and we have an article explaining how to spot phishing emails.

Facebook failures

Facebook was in the news frequently in 2019. There were data breaches, issues where Facebook shared data with advertisers, and Facebook even used some underhanded activity to track data usage for some users, that led to Apple revoking their internal developer certificate. The privacy risks of Facebook are such that we did an episode of the Intego Mac Podcast about how to use Facebook more safely.

Internet of things (IoT) issues

Consumers and business professionals today need to be aware that “smart home” (or smart office) gizmos that connect to the Internet may contain vulnerabilities that could provide an attacker access to your network.

The “Internet of things” is a nickname given to the web of smart home devices that generally each perform limited tasks, but together combine to provide a lot of control over your home or office. We looked at Apple’s HomeKit at the end of the year, explaining what this framework is and how it works, but all throughout the year, we witnessed issues with IoT devices.

From breaches of databases run by IoT companies to new, innovative ways of hacking smart speakers—such as using lasers—smart home devices are a relatively new target for hackers and cybercriminals. Smart TVs may be spying on you, and the companies making smart speakers may have listened to some of your conversations.

How can I learn more?

In this article I’ve only touched on the issues of the eventful year 2019. You can find more by listening to (or skimming the show notes from) past episodes of our podcast.

We discuss security, privacy, Apple, and related topics each week on the Intego Mac Podcast. Be sure to subscribe to make sure you never miss the latest episode!

Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →