Apple Security Researcher Says Latest Crypto MacOS Malware is Overblown

A new strain of macOS malware reportedly managed to dodge antivirus detection for over two months by borrowing an encryption scheme from Apple’s security tools, researchers at cybersecurity firm Check Point revealed last week.

Mainstream media outlets were quick to pick up on the story, with Forbes warning of “real-and-present dangers” and the New York Post quoting Check Point on how over 100 million Apple users may “be preyed on.”

However, an Apple security researcher argues that the situation may be more hype than threat.

“There’s really nothing special about this specific sample,” Patrick Wardle, CEO of endpoint security startup DoubleYou, told Decrypt in an interview via Signal.

While the malware appears to target “software-based crypto wallets” and remains a cause of concern, Wardle argues that it has received disproportionate media attention.

This needs some more context as the media is running wild with this, blowing it 1000% of out of proportion 🙄

The original post from @_cpresearch_ does a good job largely sticking to technical details: https://t.co/vgfzBztOti pic.twitter.com/hYBTskphZb

— Patrick Wardle (@patrickwardle) January 12, 2025

The malware, dubbed Banshee, operated as a $3,000 “stealer-as-a-service” targeting crypto wallets and browser credentials. The operation ended abruptly in November last year when the malware’s source code leaked on underground forums, prompting its creators to shut down the service.

What set Banshee apart was its clever mimicry of Apple’s XProtect antivirus string encryption algorithm, allowing it to operate undetected from late September through November 2024.

This tactic helped it slip past security tools while targeting crypto users through malicious GitHub repositories and phishing sites, the analysis from Check Point explains.

While its evasion techniques show sophistication, Wardle describes its core theft capabilities as relatively basic.

Such a characterization, Wardle says, misses a crucial technical context.

“XOR is the most basic type of obfuscation,” he explains, referring to the encryption method both Apple and Banshee employed. “The fact that Banshee used the same approach as Apple’s is irrelevant.”

Notably, Wardle claims that recent versions of macOS already block this type of threat by default. “Out of the box, macOS is going to thwart the majority of malware,” he notes. “There’s essentially no risk to the average Mac user.”

Having previously worked as a security researcher at the U.S. National Security Agency, Wardle observes that recent changes in macOS security have affected how software running on a device is signed or “notarized” (in Apple’s technical terms).

While more sophisticated threats like zero-day exploits exist, Wardle suggests focusing on fundamental security practices rather than any particular malware strain.

“There’s always a tradeoff between security and usability,” he says. “Apple walks that line.”

The case highlights how security threats may be miscommunicated to the public, particularly when technical nuances get lost in translation.

“There are sophisticated malware out there […] this isn’t one of them,” Wardle said.

Edited by Sebastian Sinclair

Source