The market for Mac malware

Are malware makers finally ready to pay Apple the ultimate compliment by writing viruses and trojans that target Mac OS X?

Sure–they already have. For the past few years, Mac trojans have been surfacing that will screw with your machine in various ways. But they all require assistance from the unwise or the unwary: You not only have to download and install one of these malicious programs, you also have to authorize its operation by typing your Mac’s admin password. And these phony applications are so rare and so obvious that Mac users can comfortably get by without running anti-virus software.

That’s not the case in Windows (nor was it always the case with “classic” Mac system software). On Thursday, ZDNet’s Windows columnist Ed Bott suggested that Mac users were due to experience that sort of anxiety, citing the Mac’s increased market share, the history of remote exploits for Mac OS X and the arrival of the first Mac-specific write-your-own-virus toolkit:

My prediction is that the bad guys are still “testing market conditions,” and waiting for the right time for their grand opening. I think we’ll see a few more of these tentative probes—beta tests, if you will—before anyone unleashes a truly widespread attack.

The next day, Bott wrote about a new trojan, hidden behind a “poisoned” image page found in a Google search, that featured both Windows and Mac versions.

The problem with predicting an imminent wave of Mac viruses is that so many people have been wrong before–as Mac blogger John Gruber noted in a post Thursday, titled “Wolf!”, that quoted more than a dozen forecasts of Mac malware doom, going back to 2004. But this time could be different. Veteran Mac journalist Glenn Fleishman surprised a few people, possibly including himself, by repeatedly defending Bott’s analysis in conversations on Twitter.

(This is why you should follow more than one person covering a subject you care about; you’ll see this shop talk among competing reporters and analysts that you’d otherwise miss if you only followed one of those people.)

As a Mac owner and the primary source of tech support for two others (my mom and my mother-in-law), I’m not too worried about Mac trojans. I think Bott slightly oversells that risk, for two reasons.

One, every Mac trojan that I’ve seen so far requires you to type an admin password. Any Mac user with a few weeks of experience should recognize as an unusual sign, reserved only for things like system-software updates and installing printer drivers–other apps only require you to drag their icons to the Applications folder. This sets the Mac apart from Windows, in which almost every single program requires running an installer and authorizing that action by clicking through a User Account Control dialog. That said, recent Windows switchers could easily see a password request from a new OS X app as something normal.

Two, Apple’s Mac App Store provides a safe alternative (though I’m happy it’s not the only way to add third-party software to a Mac.) Somebody worried about getting hit with viruses from strange downloads can stick to that and should be safe. I wish Windows had an equally simple, obvious alternative–a few of my readers at the Post seemed unable to avoid downloading the trojan of the week and desperately needed such an option.

And yet: Over Easter, I expanded my usual troubleshooting of my mom’s iMac by installing the free, open-source ClamXav anti-virus program on that machine.

I’m much more concerned about zero-day exploits of vulnerabilities in OS X’s Internet-facing software. As contests such as the annual Pwn2Own competition have shown, it’s not all that hard to take control of a Mac remotely by luring a victim to a malicious site. The Mac’s growing market share–which Apple put as more than 20 percent of the consumer market in the U.S. back in October–gives malware authors an increasing economic incentive to target those flaws. And Apple’s sometimes-sluggish pace at shipping security fixes makes their job easier.

That’s my worry. I hope I’m wrong about it.