Malware on a Mac, and How to Trash it

01 - Malware on a Mac

“You can’t get viruses on a Mac” and “they just work”.

Both are true to an extent, and as a passionate Apple user and former employee I believe their ecosystem is fantastic and far stronger than others out there. However, there are always threats in the realms of technology, and whether the term ‘virus’ is strictly accurate in this case or not, Apple isn’t immune to malware, and it’s crept it’s way into OS X more noticeably recently.

What does ‘malware’ mean?

Malware is a term for malicious or intrusive software that can come in many different forms, and can be used to obtain personal information such as bank details, display unsolicited advertisements, or generate marketing revenue by redirecting traffic.

A paper recently released by Bit9 + Carbon Black states that five times more malware for OS X has appeared in 2015 than during the previous five years combined (source link)

How does it find it’s way onto my machine?

There are many different ways malware can find it’s way through but in most cases on a Mac from my experience it has been through ‘phishing’ emails which may appear to be from a recognised company or source (or friend if their account has been affected in some cases) and either have a link or downloadable attachment that can let in some nasty scripts into your machine.

So, how can I protect myself?

First and foremost, exercising caution with emails and anything that seems slightly out of the ordinary. For example, most companies won’t ask for your password or any details directly through an email, particularly a bank. Also, if it is a link appearing to come from a company that you have an account with saying you must sign in to make changes for whatever reason, rather than clicking on the link in the email try going to their website directly through a browser (e.g. Safari / Chrome) and seeing if it is prompting you to change anything from there.

The next step I would strongly recommend if you have any existing malware concerns or want to be able to scan your system and check is to download and install a free application called Malwarebytes (there’s also a premium version available). You can download it here:

Malwarebytes for Mac

Once you’ve downloaded it, run a scan, and it’s very quick and efficient at discovering and wiping any hidden malware that you don’t want there. However, recently I discovered another attack that Malwarebytes hasn’t yet been able to find.

A new threat

Prior to the Malwarebytes application, I used the below website as a great resource for manually finding and getting rid of malicious software, however unless you are an experienced user of OS X then I would strongly recommend against doing this yourselves, as a lot of the files and folders you are looking at may have odd-looking names but the system needs them to operate, and deleting the wrong one could corrupt your operating system (so is best avoided!).

The Safe Mac

These are the guys that developed Malwarebytes, and for earlier intrusions (Vsearch and Geneio being notable culprits) the guides and application are great for removing them.

The other day the malware I found on a machine had cut out network access for the user and appeared to be an evolved version of Geneio which had changed itself to many different names hidden away in the user library rather than just the one previously, such as the following:

Again, if you are unsure about any of this and have malware concerns that the Malwarebytes application isn’t picking anything up then I wouldn’t advise going in to delete system files yourself unless you have experience in this field; get in touch and we can help!

Where the malware in this example had cut out the network connections we set up a Guest User account (System Preferences > Users & Groups > Enable Guest User) and logged into this account. From here I was able to change the permissions for the user account that had been affected in Finder to allowing everyone access to view and edit, so we could go in and delete what needed to be.

An interesting tip here, one way to be able to view the (hidden) library folder when not in the user account is to show hidden items in Finder. You can do this through a Terminal command:

defaults write AppleShowAllFiles YES

This will show you hidden files and folders, in this case we need to go to the users ‘Library’ folder. Note, to reverse the above change you can open Terminal again and write this command line to switch hidden files and folders back to being hidden:

defaults write AppleShowAllFiles NO

Now I could access the hidden library folder of the affected user account, and this is where I discovered lots of the above names popping up in Application Support, Launch Agents, Preferences, and went through deleting them and then emptying the Trash. It took some time searching through them, but eventually they all appeared to be cleared out, at which point we logged out of the Guest User account and back into the original account and things were fine again!

So, my advice would be always to exercise caution particularly with emails with links and attachments (even if they appear to be legit), download Malwarebytes and run a scan for peace of mind, and if you have more issues, queries or concerns get in touch at and we can help!

Select your city.