What is malware?
Let’s first straighten out a heavily misused term - virus.
This word has become an incorrect general phrase due to its decades long use to describe damaging software. It’s like saying “Hand me a Kleenex®,” whether the box of facial tissues you have are the Kleenex® brand or not. Or saying “Make a Xerox® of this,” even if you don’t own any Xerox® copiers.
The word virus became entrenched long ago mainly because almost all such unwanted software of the era were indeed viruses. It only made sense to name such software anti-virus since that’s literally the type of software they located and removed. Those days are long gone and thoroughly outdated.
There has yet to be an actual virus that can affect the Mac OS. Not since OS X's introduction, anyway. There were some in OS 9 and earlier, but they were few and far between, and easily removed or defeated.
An often used phrase seen on these forums is, “You may have a virus or malware.” This is automatically wrong. A virus and malware are the same thing. Malware is not a separate type of threat. Putting in just one more word would make the statement correct: “You may have a virus or other malware.” That at least correctly identifies the unwanted software could also be a Trojan or worm.
If you want to use a general term, that word is malware. Not virus.
Malware is a shortened term for malicious software and refers to any software you don't want on your computer, of which a virus is just one type of malware. I can't even begin to count how many web sites I've seen, including ones supposedly written by security experts that scream "Mac virus", and not a single item of malware they list is a virus. Then you read the list of claimed viruses and they’re all Trojans. These, um, "professionals”, should turn in their credentials. A professional should never, ever, use the term virus as a catchall phrase. It’s wrong. Period. Why do they do this? In my opinion it’s deliberate click bait to draw readers to their site. But in short, I don’t trust any security site that doesn’t even appear to know what a virus is.
At this time, all AV software is nothing more than a drain on system resources and your bank account. If you’re thinking is to be preventative against new threats, that is also a waste of time. No system can stop the unknown. If you download and run a new, unknown threat, neither the OS or AV software will see a problem with it since it isn't recognized. And no, heuristics don’t help because the main threat to Macs are Trojans, not viruses.
Here are general descriptions for each basic type of malware:
Virus - Defining feature: Can infect other directly viewed files and folders on your system by copying themselves without any user interaction necessary.
These do not exist in the Mac OS. A virus needs direct sight of the next device or file it's trying to install, or attach itself to. Getting to another computer requires being moved there on an infected external drive, or by bridging itself to another computer via an email virus. For the latter, this has been a major issue under Windows, but does not work on the Mac as these types of viruses rely on OS functions that do not exist on a Mac.
The closest anyone has ever come to an OS X / macOS virus is the now long dead Flashback. If you had Java installed and active for your web browser, just visiting an infected site would cause Flashback to be installed on your Mac. Purely virus behavior. However, this was not a flaw in the OS that allowed the infection, but one of the numerous holes in Java. Without Java, all the site could do was cause your admin password dialogue to pop up. If the user had any sense at all, they'd deny access to something they didn't initiate.
The only thing you can call a virus for the Mac that still exists are Word and Excel macro viruses. And those are almost 100% Windows malware. That is, the macro can't do anything to harm a Mac since the payload only runs in Windows. And unless you've changed the default settings in Word or Excel, if you happen to get an infected document sent to you, the macro can't load or run until you allow it (either app will warn you the document contains a macro and gives you the option to run or block it). They fall under the virus category because if you allow the macro of an infected document to run, all loaded macros are automatically stored in the Normal template. Good or bad. After that, every new document you create also carries the macro virus since they all start from the Normal template.
Reportedly, a virus that could affect OS X had been created in research labs where they look for flaws in the OS, then report their findings to Apple and Microsoft so each respective OS can be patched before crooks find these same openings. That was now well over a decade ago. No OS X / macOS specific virus has ever been seen in the wild. At least, not yet.
Trojan - Defining feature: Malware that requires the user to do something to get it installed.
Trojans are rampant. They include anything you have to install in some manner. Whether that's the million types of adware out there, or more insidious apps such as key loggers, ransomware and back doors. These last three are almost exclusively found in illegal downloads of cracked commercial software. It’s virtually a guarantee that if you install such software, it will also install some of the nastiest malware with it.
The main point of Trojans is they can't get on your Mac by themselves. You - the user - must install them in some manner.
Adware is also a Trojan since most of it installs with other software you download from legal aggregate sites such as softonic.com and downloads.com. It's annoying when it gets on your system, but at least it isn't dangerous - yet. Some of the ads generated by adware are outright fraudulent, doubling up on being a Trojan.
What was once a very common Trojan was the fake Flash update. You visit a site, and it pops up a message that Flash is out of date and you need to install a newer version. Clicking the download button got you a Trojan from that site that would not in any way, shape or form install anything to do with the Flash Player. At its most benign, you installed adware. But it could be anything. Never believe any site that tells you to install a Flash or Java update, or claims you need to install a codec to view a video on their site. It will be a lie 100% of the time. I only mention this because there are the occasional sites that still throw out this scam, despite the fact Flash has been dead for years. This also applies to any message or pop up that claims you need to install a Shockwave or SilverLight update. Both are also long dead plug-ins.
Trojans need to be willingly (or unwittingly) installed by the user. Often, you don't know you're installing one because it's bundled in with something else you do want installed. Either way, even though you've downloaded the Trojan, there's still nothing for your AV software to "see".
Now you install it. Still no reaction from the AV software. The Trojan is either already active, or you run the app after installing it (because it's disguised as something else you thought you wanted). And still no reaction from the AV software. Isn't this what it's supposed to do? No. Neither the OS nor the AV software is going to stop you from using your computer as you see fit. Even if the AV software sees this malware (or eventually may), it will be a day late and a dollar short. The Trojan is already on your Mac and the AV software did nothing to stop its installation, or even warn you it had been installed.
What else is a Trojan? Any pop-up, web site, message or email claiming your device is infected with some random number of viruses, and you need to call a scammer’s phone number, or download something to fix it within 90 seconds to avoid permanent damage! My favorite? The claim you have a Trojan virus. These do not exist. It’s one or the other. The use of both words is simply to make it sound scarier.
All of these are, plain and simple, lies. There is no remote user who can tell what’s on any of your devices through a web browser. Messages or emails with such claims? Why would you believe them? They’re just words. Anyone who has your phone number or email address can send you anything, and say anything. That doesn’t make it true!
Technically, this previous group falls under Social Engineering. Which is a fancy way of saying the crook is trying to scare or goad you into doing something unwise. It isn’t a Trojan until you fall for downloading an app they say will fix a problem that doesn’t exist. In some cases, they prompt you to purchase completely useless software they have on the App Store to “fix” the problem. Often, that’s a VPN, which is not any type of security software. Not even a little. Public VPNs (especially free ones) are mostly used to gather personal information about the user by filtering every single thing you do on the web. They actually make you less secure by routing your internet activity through the servers of whomever's VPN you're using. That data is then sold, at best, to marketers. Or worse, to other scammers and crooks. See below for more information on VPNs.
Worm - Defining feature: Smarter than a virus. Worms search out other computers on a network all on their own and attempt to infect the ones it finds.
The only known (and now long dead) Mac worm was Oompa-Loompa. Also known as Leap-A. It first had to be installed by the user as a Trojan. It then once again acted as a worm and looked for other users to infect across a network based on who is in your Messages account. With Unix in the way, it couldn’t automatically install itself on a found remote computer, but would cause an admin password box to appear on the targeted Mac. Deny access, and it couldn't do anything. The user had to be gullible enough to allow a process to continue without questioning why an admin box appeared from out of nowhere. While there were likely more, the official reported instances of infection by Oompa-Loompa was a grand total of 50 Macs.
VPNs, and why you should avoid them.
Public VPNs are anything but private.
A VPN can do absolutely nothing to hide any data going between you and the site you're viewing since only half of the communication is encrypted. Anything going to the site from the VPN and back to it is in the clear, or the site you're accessing would have no idea what to do with the encrypted data.
A VPN has only two uses:
1. You're using it to send and receive content from a truly tunneled VPN at your place of employment. Only the servers at the office get the unencrypted data from you as output from the VPN. Anything coming back to you is encrypted. Meaning, anyone trying to capture data between you and the office will only ever see encrypted data. A hacker would have to somehow breach the business' server on the clear input/output side, or your end to get anything.
2. You're trying to hide yourself. Since a VPN encrypts what's coming back to you, it does a good job at hiding what IP address the data is going back to (and as the first link in this section mentions, even this doesn't do a good job of hiding you anymore). However, any and all VPNs log this data. If you do anything illegal and law enforcement tracks the clear data back to the VPN (and they can), they'll demand log data to see what IP address the data was output to. The site running the VPN will give you up. They aren't going to go to jail for what you do.
Free VPNs sell your data (just one of many sites explaining this)
This isn't exactly breaking news. It's been known for a very long time that free VPNs (in particular) log and sell your data. How else do you think they pay for their servers? Paid VPNs are no better. The real purpose of any such VPN is to gather marketable data.
It's the same model as Google, and in particular, Chrome. You are the product. Chrome runs a background daemon from the moment you turn your computer on, whether Chrome itself is running or not. Its job is to constantly send anonymized data back to Google about your web and personal computer usage.
No matter what web site you're communicating with, only what you send to the VPN and it sends back to you is encrypted. Every bit of data out of the VPN to the site you're visiting, and from there back to the VPN is the same as using no VPN at all. It has to be, or the sites you're visiting would just get a load of encrypted data they can't do anything with.
NordVPN has recently been sued for deceptive practices by making it nearly impossible to unsubscribe
VPN reviews you find online are also almost completely untrustworthy:
VPNs should only be used when your employer, or other business needs require it for a direct end-to-end tunnel between you and their servers.
And in the modern internet world, you don’t need a VPN anyway. Most web sites now use HTTPS (secure communication). When you connect to such a site, a one-time use encryption key is generated between your browser and the site. All communication for that site is then already encrypted. A VPN does nothing but uselessly encrypt the encryption. It varies with the browser you’re using, but Safari indicates a secure connection with a small icon of a lock by the URL of the site. Such as this for Apple Discussions:
How to avoid installing malware - Never download software from P2P (peer to peer), file sharing or pirate sites. That’s where the worst types of Trojans are. They get tucked into illegal software downloads (like a cracked version of Photoshop) and get installed along with what you think you’re getting. Once an admin box pops up to allow the installer to run, the OS doesn’t, and isn’t going to ask you for your password once for the illegal software, and again for the embedded malware. One time is all it needs for everything in the installer package.
For now, and has been the case almost entirely through the Mac OS’ existence, defeating malware is to use your brain. All known Mac malware out there right now are Trojans. You have to download and install it. Gatekeeper recognizes some apps and will stop them from running, also presenting a warning to delete the app/installer. Anything else will blow right through no matter what AV software you're running, or how many. They are useless. They are designed to try and stop automatic processes, such as the thousands of such viruses in Windows. Trojans bypass all of this. You choose to manually run an installer or app. It doesn't matter where it came from. The OS and AV software can only do so much to protect you from yourself.
For a much more thorough explanation on avoiding malware, read John Galt’s excellent treatise, Effective defenses against malware and other threats - Apple Community.
