Can macOS get viruses?

Malware infections are far less common on macOS than for Windows. This is partly because macOS is less widely used, but also because of its robust built-in security and rigorous protection against unsigned apps.

The historic list of notable macOS malware makes for an extremely short Wikipedia entry. However, macOS malware discoveries in 2021 included a number of cross-platform viruses written in languages such as Go, Python, and Kotlin.

Security researchers also saw cunning methods of evading Apple’s Gatekeeper, which checks to ensure that apps have been scanned and notarised by Apple as malware-free before allowing them to be installed.

Targeted attacks against journalists, human rights activists and persecuted minority groups by nation-states are relatively common, such as DazzleSpy, identified in January 2022, but this visibility is likely because there’s less mass-user malware on the platform.

So macOS systems can get viruses, but you’re far less likely to encounter one than your average Windows user is, and if you restrict yourself to only using software from the macOS App Store (and aren’t a human rights activist), you’re not very likely to encounter one.

Malware popularity contests

Malware developers want the best pay-off for the work, whether that comes in the form of data theft, ransoms to decrypt systems, or stolen CPU and network resources for cryptocurrency mining or systems for their botnet armies.

With estimates putting macOS at around 6% of the global operating system market share, compared to 42% for Android and 32% for Windows, it’s obvious that macOS is a less desirable target for general-purpose malware than Windows and Android.

That’s still somewhere in the region of a 100 million or more computers, a number that’s slowly but consistently growing, so we are seeing more macOS viruses than in the past, but they have tough defences to get past.

How does macOS protect against viruses?

While Microsoft makes the Security Centre on Windows easy to find, Apple’s malware defences are almost invisible, and lack features such as on-demand scanning and visible on-off switches. This is a deliberate choice on Apple’s part, designed to make Macs unobtrusively safe. It’s so hard to disable that malware researchers have to go to great lengths to even test virus samples on macOS.

Here’s how you’re protected:

Notarised software: Apple requires developers of software for macOS have to register for a developer ID and submit the app for review and scanning by Apple before issuing a Notarisation ticket that developers can ship with their apps.

The inconvenience and the $100 annual fee required for notarisation has been a contributing factor to independent multi-platform developers abandoning macOS, but it’s an excellent way of ensuring that users don’t accidentally install anything that might damage their system.

The utility that checks for Notarisation is called Gatekeeper. If a Notarisation ticket isn’t shipped with the app, it’ll check the software’s file hash against an online database of Notarised apps. If you want to install an unsigned app, you have to manually open it via Finder and add it as Security exception.

XProtect: macOS’s efficient integrated antivirus scans apps against a regularly updated signature database when they’re first launched, when an app changes, or when XProtect’s signatures are updated. Apple is understandably cagey about revealing exactly how XProtect works, but says that the “signature-based rules of XProtect are more generic than a specific file hash, so it can find variants that Apple has not seen,” which indicates that it may be able to detect obfuscated malware. However, XProtect isn’t a real-time scanner and is generally held to have no heuristic scanning capabilities.

MRT: the operating system’s built-in Malware Removal Tool is your last line of defence. It checks for infections whenever it receives and update to its threat database, on restart, and on login. However, you can’t manually trigger the MRT in response to suspicious behaviour.

All of these applications are supported by robust and prompt patching of security vulnerabilities, which are themselves discovered less frequently than their Windows counterparts.

Third-party antivirus

Third-party antivirus for macOS co-exists with macOS’s integrated defences, so they’ll never be disabled. If your Mac is behaving oddly, it won’t hurt to grab an antivirus suite to see if malware is to blame.

Major players in commercial macOS antivirus for home users include Kaspersky, Eset, MacPaw, MalwareBytes, BitDefender, ClamAV and Trend Micro, among others. The AV-TEST lab puts them through their paces on a regular basis. See my guide to understanding antivrus test results to help you understand how they perform.

ClamAV, Avira, Avast, BitDefender, Trend Micro and Kaspersky all have free macOS antivirus products available. Some of these don’t provide real-time protect, but the option of an on-demand scan is always reassuring.