Apple Security Researcher Says Latest Crypto MacOS Malware Is Overblown

A new strain of macOS malware reportedly managed to dodge antivirus detection for over two months by borrowing an encryption scheme from Apple's security tools, researchers at cybersecurity firm Check Point revealed last week.

Mainstream media outlets were quick to pick up on the story, with Forbes warning of "real-and-present dangers" and the New York Post quoting Check Point on how over 100 million Apple users may "be preyed on."

However, an Apple security researcher argues that the situation may be more hype than threat.

"There's really nothing special about this specific sample," Patrick Wardle, CEO of endpoint security startup DoubleYou, told Decrypt in an interview via Signal.

While the malware appears to target "software-based crypto wallets" and remains a cause of concern, Wardle argues that it has received disproportionate media attention.

The malware, dubbed Banshee, operated as a $3,000 "stealer-as-a-service" targeting crypto wallets and browser credentials. The operation ended abruptly in November last year when the malware's source code leaked on underground forums, prompting its creators to shut down the service.

What set Banshee apart was its clever mimicry of Apple's XProtect antivirus string encryption algorithm, allowing it to operate undetected from late September through November 2024. 

This tactic helped it slip past security tools while targeting crypto users through malicious GitHub repositories and phishing sites, the analysis from Check Point explains.

While its evasion techniques show sophistication, Wardle describes its core theft capabilities as relatively basic.

Such a characterization, Wardle said, misses a crucial technical context.

MacOS Malware 'Cthulu Stealer' Is Draining Crypto Wallets—Here's How to Spot It

In a concerning development for macOS users and cryptocurrency holders, security researchers have identified a new malware-as-a-service (MaaS) named "Cthulhu Stealer." According to a recent Cado Security report, this malware specifically targets macOS systems, challenging the long-held belief that Apple's operating system is immune to such threats. While macOS has maintained a reputation for security, recent years have seen an uptick in malware targeting Apple's platform. Notable examples includ...

"XOR is the most basic type of obfuscation," he explains, referring to the encryption method both Apple and Banshee employed. "The fact that Banshee used the same approach as Apple's is irrelevant."

Notably, Wardle claims that recent versions of macOS already block this type of threat by default. "Out of the box, macOS is going to thwart the majority of malware," he notes. "There's essentially no risk to the average Mac user."

Having previously worked as a security researcher at the U.S. National Security Agency, Wardle observes that recent changes in macOS security have affected how software running on a device is signed or "notarized" (in Apple's technical terms).

While more sophisticated threats like zero-day exploits exist, Wardle suggests focusing on fundamental security practices rather than any particular malware strain.

"There's always a tradeoff between security and usability," he said. "Apple walks that line."

The Best VPN for Crypto Users

In today’s increasingly online world, it’s never been more important to protect your privacy and security—and that goes double for crypto users. Virtual private networks, or VPNs, are services that provide an encrypted connection to the internet, shielding your internet protocol (IP) address from prying eyes. For users transacting in cryptocurrency, VPNs offer an extra layer of security to protect against hacks and phishing attempts that could result in a loss of funds. In this guide, we’ll expl...

The case highlights how security threats may be miscommunicated to the public, particularly when technical nuances get lost in translation.

"There are sophisticated malware out there [...] this isn't one of them," Wardle said.

Edited by Sebastian Sinclair