If you are worried you have some kind of malware or virus on your Mac, we are here to help you figure out what’s going on and, if necessary, clean up the damage – all for free. We’ll cover how to check for and remove malware from your Mac, getting rid of any viruses that might be lurking. We’ll also explain why it’s probably not a virus thanks to Apple’s stringent protections in macOS, but that if it is, there are free as well as paid options that can protect you from Mac malware.
It’s often said that Apple products don’t get malware or viruses. While this is still true of devices based on iOS – such as the iPhone or iPad – it’s not 100 percent true when it comes to Macs nowadays. There have been a few notable malware and virus reports in recent years, although a big difference compared to Microsoft Windows is that there’s never been a Mac malware epidemic. In fact, since the release of OS X (now known as macOS), a tiny fraction of the total number of Macs in the world have ever been infected.
This doesn’t mean Macs haven’t come under the spotlight for malware and virus creators. There are lots of nasty people out there who see Macs – and their users – as prime targets, and in this article we show how to stay safe and avoid or get rid of the malware and viruses they try to dump on your Mac. (We also recommend you read our best Mac security tips and our roundup of the best Mac antivirus apps.)
Note that to an extent we are going to be mixing and matching the terms malware and virus but they are actually separate concepts. Malware tends to take the form of apps that pretend to do one thing, but actually do something nefarious, such as steal data. Viruses are small discrete bits of code that get on to your system somehow and are designed to be invisible. Of course, within these two definitions there are also other types such as ransomware.
Symptoms and diagnosis
Every now and again malware or a virus does get make it through into the wild, where there’s at least a risk of infection, so a basic knowledge of security is good for any Mac users.
Here are just some of the symptoms of malware or viruses you might watch out for:
- Your Mac suddenly becomes sluggish or laggy in everyday use, as if there’s some software running in the background chewing up resources;
- You find there’s a new toolbar in your browser that you didn’t install. Typically these toolbars claim to make it easier to search or shop;
- You find any web searches are unexpectedly redirected away from your usual search engine to some site you’ve never heard of (or the results appear in a page that’s faked up to look like your usual search engine);
- All web pages are overlaid with adverts – even those where you don’t expect to see adverts, such as Wikipedia;
- Going to your favourite sites doesn’t always work, as if something is randomly redirecting you to spam advertising pages;
- Advertising windows pop up on your desktop, seemingly unconnected with any browsing you’re doing or any program that’s running.
If you get any of these symptoms then don’t panic: they don’t necessarily mean you have a malware or virus infection on your Mac. There’s a thousand reasons why a Mac right run slowly, for example.
Additionally, some legitimate apps have unfortunately begun to add their own occasional popups for other of their products (although some people still refer to these apps as adware/malware, and refuse to have them on their system).
Here’s one thing you definitely shouldn’t do if you think your Mac is infected: don’t Google a description of the problem and install the first thing you find that claims to be able to fix things. Sadly, a lot of software that claims to be able to fix Macs is in fact malware itself, or is simply fake and designed only to make you part with money. The crooks behind this software manipulate Google’s search results so they appear at the top, and their apps can look incredibly convincing and professional.
Fake antivirus apps like MacDefender, which hit the headlines a few years ago, might look the part but are actually malware in disguise
How malware gets on to your computer
Typically malware or viruses get on to your computer in a handful of ways, as listed below. You can help diagnose whether you might have an actual infection by seeing if you’ve undertaken any of these steps recently:
As mentioned earlier, the malware looks like legitimate software, such as a virus scanner that you download in panic after believing yourself to be infected. Check for independent reviews of apps or ask for personal recommendations from others to avoid downloading this kind of thing.
This kind of malware might be downloaded by you, or it might arrive via email, or perhaps even arrive via an instant message.
Apple as in-built protections that should stop you installing this sort of thing. The company won’t allow you to install software that isn’t from a registered developer, for example, without first jumping through a few hoops. When you try to open such an app you’ll see a warning that the application is from an unidentified developer. Of course, it’s not always going to be the case that this is malware, so it is generally possible to open such software, but you will have to make some changes to your settings in order to do so as we explain here: How to open a Mac app from an unidentified developer.
There are also protections in place that should mean macOS’s Gatekeeper technology that should recognise any malicious software and stop you from installing it – as long as it’s not very new (it can take Apple a few days or weeks to address new malware). Should macOS detect a malicious app it will let you know and will ask you to move it to the Trash. Read more about Apple’s built in virus protection here: How Apple protects your Mac from Malware.
To protect yourself we also recommend that you choose these Mac security settings.
Don’t relax entirely in the comfort of knowing that Apple has your back, though. There are still ways that malicious software could fool you into installing it. Read on to find out more.
Sometimes malware or viruses might be disguised as an image file, word processing or PDF document that you open either without realising what it is, or out of curiosity to see what it is – perhaps upon finding a strange new file on your desktop, for example. (Today’s top tip: DO NOT open files that suddenly appear unless you know what they are!)
The malware creator’s technique here is simply to give the malware a fake file extension. Most of us can see straight through this, but it’s surprising how effective an attack vector this can be.
Malware-loaded legitimate files
The malware gets on to your system via a flaw or security hole in your browser or other software, such as your word processor or PDF viewer; in this case an otherwise ordinary document or webpage you open contains hidden malware that then runs without you realising, or opens a hole in your system for further exploitation.
Fake updates or system tools
The malware looks like a legitimate update. Typically this is offered via a fake warning dialog box while you’re browsing. Fake updates for the Adobe Flash Player browser plugin, or fake antivirus/system optimisation apps, are a particularly popular vector of attack.
Fake updates like this can look pretty convincing but only want to deliver malware on to your computer!
Fake technical help
You’re phoned out of the blue from Apple or Microsoft, maybe even BT, and they tell you that they believe your computer is infected, so walk you through some steps to undo the damage – while all the time putting in place their own malware, of course.
As we mentioned above, for several years now Apple has included invisible background protection against malware and viruses, as follows:
If you try to open an app you’ve downloaded – no matter how you got it – then you’ll get a warning telling you where the file has come from, and you’re told when you downloaded it. You will then have to specifically choose to open the file (with the exception of apps you download via the Mac App Store, which are always trusted because they’re supplied direct from Apple).
If an app isn’t digitally signed by its creator, which requires a signature supplied by Apple, then you will be blocked from opening it. (Here’s how to open a Mac app from an unidentified developer, but be cautious.)
Linked into File Quarantine is a scanner that, when you first open files you’ve downloaded, checks them for known malware or viruses. If any is found then you’re told the file is infected or damaged, and the only option you’ll have is to move it to the Trash.
Xprotect in particular has been very effective at halting the spread of Mac malware before it can even get started, and is yet another reason why malware or virus infections on a Mac are rare. Xprotect will even block older versions of legitimate software, such as Java or the Flash plugin, that have subsequently proven to be vulnerable to malware attack.
macOS’s Xprotect system gives a warning when you download malware that it knows about, and tells you exactly what to do.
Cleaning up a malware or virus infection
If despite all the protections Apple offers, and your own caution, you think your Mac is infected by malware of a virus, try these top ten steps to clean things up:
1. No more passwords
From this point forward don’t type any passwords or login details in case a hidden keylogger is running. This is a very common component within malware.
Beware that many keylogger-based malware or viruses also periodically secretly take screenshots, so be careful not to expose any passwords by copying and pasting from a document, for example, or by clicking the Show Password box that sometimes appears within dialog boxes.
2. Keep (mostly) offline
As much as possible from this point onwards you should try and turn off your internet connection by either clicking the Wi-Fi icon in the menu back and selecting Turn Wi-Fi Off, or disconnecting the Ethernet cable if you’re using a wired network.
If possible, keep your internet connection turned off until you’re sure the infection has been cleaned up. This will prevent any more of your data being sent to a malware server. (If you need to download cleanup tools then this obviously might not be possible.)
3. Activity Monitor
If you know for sure you’ve installed some malware – such as a dodgy update or app that pretends to be something else – then make a note of its name, and then quit out of that app by tapping Cmd + Q, or clicking Quit in the menu.
Open Activity Monitor, which you’ll find within the Utilities folder of the Applications list (or you can search for it in Spotlight by pressing Command + Space and typing Activity Monitor). Use the search field at the top right to search for the app’s name. You might find that it’s actually still running, despite the fact you quit it, so select it in the list and click the X icon at the top left of the toolbar and select Force Quit.
However, most malware authors are wise to this and will obfuscate their code so that it uses non-obvious names, which makes it almost impossible to uncover this way.
4. Shut down and restore
If you can, immediately shut down your Mac and restore from a recent backup, such as one made with Time Machine. (For alternatives to Time Machine, take a look at our roundup of the best backup software & services for Mac.) Obviously, this backup should be from a time before you believe your computer became infected.
After restoring the backup, be careful when rebooting not to plug in any removable storage such as USB sticks you had plugged in earlier when your computer was infected, or to open the same dodgy email, file or app. (Scan removable storage devices via an antivirus app on a Windows computer to remove the Mac malware – even though it’s Mac malware, it will still be spotted by antivirus apps running on other platforms.)
5. Use Bitdefender
If you can’t restore from a backup, open the Mac App Store and download the free-of-charge Bitdefender Virus Scanner. (If you are willing to spend a little cash then the paid-for version of BitDefender is worth consideration, as are the top picks in our roundup of the best Mac antivirus apps.)
Once it’s downloaded and installed, open the app and click the Update Definitions button, then once that’s completed click the Deep Scan button. Follow the instructions to allow the app full access to your Mac’s hard disk.
6. Credit-card details
If you believe your Mac was infected after opening a particular file or app, obviously you should delete that file permanently by putting it into the Trash, and then emptying the Trash.
If you handed over money at any point for the malware – such as if you paid for what appeared to be a legitimate antivirus app, for example – then contact your credit card company or bank immediately and explain the situation. This is less about getting a refund, although that might be possible. It’s more about ensuring your credit card details aren’t used anywhere else.
7. Clear cache
Again, assuming that you haven’t been able to restore from a backup and have had to scan your Mac using Bitdefender, you should also clear your browser’s cache.
In Safari this can be done by clicking Safari > Clear History, and then selecting All History from the dropdown list. Then click the Clear History button.
In Google Chrome this can be done by clicking Chrome > Clear Browsing Data, then in the Time Range dropdown box selecting All Time. Then click Clear Data.
8. Empty the Download folder
Drag the whole lot to the Trash, and then empty the Trash.
9. Change passwords
Once you’re sure the infection has been cleaned up, change all your passwords. That’s right, we really do mean all of them – including those for websites, cloud services, apps, and so on.
Inform your bank or financial institutions of the infection and seek their advice on how to proceed. Often at the very least they make a note on your account for operatives to be extra vigilant should anybody try to access in future but they may issue you with new details.
10. Reinstall macOS
Sometimes the only way to be sure you’re clean of an infection is to entirely reinstall macOS and your apps from scratch after wiping the hard disk.