Apple computing devices are not immune to malware, and there’s much more malware targeting Mac devices than ever before. In 2020, malware targeting Macs surged by more than 1,000%. And to the surprise of many, last year, M1 chip-focused malware was discovered in the wild. 

Details have recently emerged regarding a relatively new piece of Mac malware, known as UpdateAgent. The evolution of this piece of malware makes it unique.

UpdateAgent’s evolution

As developers managed to add new bells and whistles, the malware began to take on increasingly sinister characteristics. Recent additions include the deployment of an aggressive second-stage adware payload that places a persistent backdoor on infected Macs.

History of UpdateAgent

UpdateAgent malware started circulating somewhere between the late autumn and early winter of 2020, initially emerging as a basic information-stealer. The malware pinched names, version numbers and other fundamental Mac ownership-related information.

As time has worn on, developers have embedded new features into UpdateAgent. In an innovative twist, the app now sends “heartbeats” to attackers in order to let them know about whether or not the malware is still running. It also deploys adware, known as Adload.

UpdateAgent’s adware

To provide a few technical details, once adware is installed, it leverages ad injection software and techniques to intercept a device’s communications and to reroute user traffic through special servers that inject advertisements and promotions onto web pages and into search results.

More specifically, the Adload adware launches a Person-in-the-Middle attack via a web proxy that’s used to hijack search engine results and to place ads on webpages, thereby forcing official website holders to lose ad revenue and to pass it along to the adware operators.

Adload adware: further details

Adload adware is considered a particularly persistent variety of adware. The software opens a backdoor to download and install unrelated adware and payloads. It also harvests system information, which is sent to attackers’ C2 servers. Given that both UpdateAgent and Adload retain the capacity to install additional payloads, attackers can use either or both of these vectors to distribute an increasing number of threats to targeted systems.

How UpdateAgent spreads

UpdateAgent poses as legitimate software via apps or support agents. The malware spreads via pop up ads on hacked or malicious domains. Typically, users are duped into installing UpdateAgent.

How to check for malware on a Mac

  1. Open the Activity Monitor from Applications > Utilities
  2. Click on the CPU tab, if you aren’t already in it
  3. Click on the % CPU column to sort from high to low, and look for high CPU usage
  4. If you see a process that appears suspect, look up the program/software on Google
  5. What did you find in your Google search? That should confirm whether or not it’s malware

In conclusion

In contrast with the thinking of a prior era, Macs are not impervious to malware. Mac-focused malware is expected to become increasingly powerful and sophisticated. Mac users are advised to keep up-to-date concerning latest Mac malware trends, and to learn how to identify social engineering lures.

Furthermore, some cyber security solutions are known for their capacity to defend against UpdateAgent and other Mac malware strains. For more information about global malware trends, please see CyberTalk.org’s past coverage.