macOS Trojans Header Image

Since I started using macOS (formerly Mac OS X then OS X) over 10 years ago with 10.4 Tiger, the Mac’s marketshare has increased a number of times over predictions of a flood of Mac viruses increased with it. The apocalyptic scenarios presented by a lot of these predictions has, thankfully, not materialised, but one thing I have noticed from my time supporting Macs has been the increase in Mac Trojans.

Trojans on the Mac is not a recent phenomenon and can remember when a modified installer of Apple’s iWork ’09 suite was packaged with a Trojan, burning people who wanted iWork but didn’t want to pay. More recently in 2015, Xcode was packaged with malicious software, prompting warnings that software should only be downloaded via Apple’s official channels.

The increase I have personally seen recently all involve a variation on the same process. Either a web page or a pop-up will state that your Mac is infected with a virus and that you should call the number listed within a particular time frame. To make matters worse there is usually some sort of method used to prevent the page being closed (one way I have seen used is to generate a print dialog over and over), to add more urgency an irritating high pitched noise may be emitted. My theory on how these pages are accessed by the user are that they are possibly from a malicious ad on a webpage; have seen people come across them browsing through a variety of content.

After seeing people and removing any Trojans they have on their Mac I’m usually asked how they avoid these programs getting onto their Mac in future my advice is always similar; always check what program is asking for your administrator password, be cautious installing new programs, and if you receive any pop-ups stating that your device has a virus, close the lid and get someone trusted to check it over. But how can these Trojans be removed?

macOS Library Folders

One of the most important pieces of knowledge I have learnt regarding macOS is the difference between its “Library” folders.

User Library

The Finder screenshot above shows The structure going from the main hard drive, “Macintosh HD”, drilling down to the user Library folder in column view (Macintosh HD > Users > Library).

Root Library

macOS Root Library Screenshot
This screenshot shows the structure going from the main hard drive, “Macintosh HD”, drilling down to the initial Library folder in column view (Macintosh HD > Library).

 

System Library

macOS System Library Folder
The system library is visible when navigating to Macintosh HD > System > Library

In all cases a Library folder contains files that are used for the operations of the Mac’s processes and applications, but what changes between them all is their scope. The data within the User Library folder only applies to the user it is located within. This means that if any of the files in here become an issue, at their worst they should only affect that user and so a user could move all their data to a new user account and carry on as normal.

The Root Library folder is wider in scope. The data in here can affect all user accounts and is usually where Malware will install files in addition to putting it into the User Library folder as it can then affect all users on the Mac, making it more effective for the malware author.

Initially it may not seem as though the Root and System library folders will be much different, but as a general rule the System Library contains more ‘system’ level stuff that is created and managed by Apple rather than the greater number of third party created files in the Root Library. It is quite rare that applications will need to place objects within the System Library folder, so if malware affects this folder it makes it easier to perform an erase and reinstall, but I have yet to come across a Trojan that puts anything here.

Removing a Trojan from macOS

After quitting the running app if possible, an initial step in removing the Trojan is to remove it from the applications folder at

/Applications

Navigate to the user folder (~/Library) and first of all choose the “Application Support” folder and find any folder with the malicious applications name and remove it. Something to bear in mind is that some apps hide their system files by giving them a different name so if you have a name in their you don’t recognise do some research to check if it’s the Trojan in disguise. Next navigate to “LaunchAgents” and remove any suspicious start up processes.

Next, move to the Root Library folder and again navigate to “Application Support” and “LaunchAgents” and remove suspicious files there. Within the Root Library there is also “LaunchDaemons’, have a browse and clear anything relating to the Trojans.

Additionally within the User Library folder there is also a “Caches” folder. This will contain cache data and so without the App this will effectively become dormant data, but if want to obliterate all trace of the malware, delete the data here.