Latest Crypto MacOS is More Hype Than Threat

Researchers at cybersecurity firm Check Point revealed last week that a new strain of macOS malware evaded antivirus detection for over two months by mimicking Apple's encryption methods.

This discovery quickly made headlines, with Forbes warning of "real-and-present dangers" and the New York Post quoting Check Point about potential risks to over 100 million Apple users.

However, Apple security researcher Patrick Wardle contends that the situation may be overstated.

Patrick Wardle, CEO of endpoint security startup DoubleYou, explained:

"There's really nothing special about this specific sample."

While the malware does target "software-based crypto wallets" and warrants attention, Wardle argues that the media's coverage has exaggerated the actual threat.

Malware Targeting Crypto Wallets & Browser Credentials

The malware, known as Banshee, operated as a $3,000 "stealer-as-a-service," targeting crypto wallets and browser credentials.

The operation came to a sudden halt in November 2024 when its source code was leaked on underground forums, forcing the creators to shut down the service.

Banshee's notable tactic was its use of Apple's XProtect antivirus string encryption algorithm, allowing it to avoid detection from late September to November 2024.

By exploiting malicious GitHub repositories and phishing sites, it successfully targeted crypto users, according to Check Point's analysis.

Despite its evasion techniques, Wardle characterises the malware's core theft capabilities as relatively simple.

Referring to the encryption method both Apple and Banshee employed, he noted:

"XOR is the most basic type of obfuscation. The fact that Banshee used the same approach as Apple's is irrelevant."

He also points out that recent versions of macOS have already implemented protections that block this kind of threat by default.

He said:

"Out of the box, macOS is going to thwart the majority of malware. There's essentially no risk to the average Mac user."

Drawing from his experience at the US National Security Agency, Wardle highlights how changes to macOS security, particularly around software notarisation, offer further safeguards.

While more advanced threats, such as zero-day exploits, persist, Wardle advocates for focusing on fundamental security practices rather than fixating on specific malware strains.

He continued:

"There's always a tradeoff between security and usability. Apple walks that line."

This case underscores the potential for miscommunication around security threats, especially when technical nuances are lost in media coverage.

He stated:

"There are sophisticated malware out there [...] this isn't one of them."

Are his claims valid, or is he downplaying the potential damage?