A new strain of macOS malware borrowed an encryption method from Apple's security tools to evade antivirus checks for more than two months, researchers at cybersecurity Check Point said last week.
Major media outlets were quick to pick up the story, with Forbes About “real and current risks” and the New York Post Checkpointing how over 100 million Apple users can be “animated”.
However, an Apple security researcher argues that the situation may be more encouraging than dangerous.
“There's really nothing special about this particular sample,” said Patrick Wardle, CEO of point-in-time security startup DoubleYou. Decrypt In an interview with Signal.
While the malware appears to target “software-based crypto wallets” and remains a cause for concern, Wardle argues that it has received disproportionate media attention.
The malware, dubbed Banshee, targets crypto wallets and browser credentials as a $3,000 “theft-as-a-service”. It came to an abrupt end in November last year when the malware's source code was leaked on hidden forums, prompting its creators to shut down the service.
What sets Banshee apart is that it mimics Apple's XProtect Antivirus string encryption algorithm, which allowed it to run undetected from late September to November 2024.
This technique has helped crypto users bypass security tools while targeting malicious GitHub repositories and phishing websites. Analysis He explains from the checkpoint.
Despite the sophistication of his escape techniques, Wardle describes his stealth capabilities as relatively basic.
Wardle misses the critical technical context of such behavior.
“XOR is the most basic form of encryption,” he explains, referring to the encryption method employed by both Apple and Banshee. “It is irrelevant that Banshee uses the same method as Apple.”
In particular, Wardle says that recent versions of Macros have blocked this type of threat by default. “Out of the box, Macross is going to disable most malware,” he commented. “Essentially no risk to the average Mac user.”
Wardle, who previously worked as a security researcher at the US National Security Agency, saw that. Recent changes “How to sign software that runs on a device in macOS security” is affectednotarized” (Apple's technical conditions).
While there are more sophisticated threats like zero-day exploits, Wardle suggests focusing on basic security practices rather than any specific malware strain.
“There's always a trade-off between security and usability,” he said. “Apple walks that line.”
The case shows how security concerns can be misrepresented to the public, especially when technical issues are lost by definition.
“Sophisticated malware is out there. […] This is not one of them,” Wardle said.
Edited by Sebastian Sinclair.
Daily Debrief Newspaper
Start each day with top news stories, plus original features, podcasts, videos and more.
