This Mac malware breaks through Apple's defenses — what you need to do
AdLoad punches right through macOS' Gatekeeper and XProtect
It's baaack. A notorious form of Mac malware called AdLoad, first spotted in 2017, has returned and is blitzing through macOS' built-in defenses, reports security firm Sentinel One.
Sentinel One says that since November of last year, it's seen more than 150 new strains of AdLoad, with "a sharp uptick throughout July and in particular the early weeks of August 2021."
- Macs have 'unacceptable' levels of malware, says Apple exec
- The best Mac antivirus software you can get
- Plus: Millions of home Wi-Fi routers under attack — what you need to know
Many of the new strains evade the protections provided by Apple's Gatekeeper verification screener because the malware is "signed" with an Apple developer certificate.
They also dodge Apple's XProtect malware scanner, because many of the AdLoad strains don't match the malware profiles in XProtect's database. Some are also "notarized" to get past Apple's newest layer of defenses.
"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple's built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices," says Sentinel One.
What you can do to protect yourself
You're going to need one of the best Mac antivirus programs to stop this one, as Apple's own protections often won't be enough.
You could, in theory, prevent an AdLoad infection by refusing to provide your admin password when the malware begins the installation process.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
But like most Mac malware, it will try to fool you into authorizing its installation by pretending your password is needed for some other reason. For example, an earlier Sentinel One report notes that AdLoad installers often masquerade as Adobe Flash Player installers.
How AdLoad works
AdLoad makes money by redirecting your web traffic. It takes over your browser's search-engine results and points them to sites that may pay AdLoad's creators a fee, and also injects its own set of ads on top of legitimate web ads.
That's not the worst kind of malware infection to have, but AdLoad also burrows into the operating system to make sure it's difficult to remove. And if this kind of middleweight Mac malware makes it on to your machine, who knows what kind of more serious infections you could also have?
"The good news for those without additional security protection is that the previous variant we reported in 2019 is now detected by XProtect," says Sentinel One's newer report. "The bad news is the variant used in this new campaign is undetected by any of those rules."
Apple has been revoking the developer certificates as soon as it spots an AdLoad strain, but "we see new samples signed with fresh certificates appearing within a matter of hours and days," says the report.
"Truly, it is a game of whack-a-mole."
This story was earlier reported by Bleeping Computer.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.