Adload malware: Apple upgrades XProtect
Apple recently released an update to its macOS system protection program XProtect. It contains numerous hashes of an adware program that is widespread.
The search returns spam, malware and scams.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Since macOS 10.7.3, Apple has integrated XProtect, a function in macOS that can be used to check files for known data malware. These are then not allowed to start, and automated deletion is even possible. The associated database is updated regularly. With macOS 14.4, Apple has added a whole series of entries: the database with version v2192 is particularly concerned with adware. This was noticed by macOS security researcher Phil Stokes.
Family reunion in XProtect
A total of 74 new rules are included. According to Stokes, this is intended to disrupt the entire code base of the data malware Adload. The family malware previously circumvented XProtect by working with an Apple developer certificate – embarrassingly (for Apple) even with notarization. Apple wants to circumvent this by making numerous variants part of the malware database.
Adload attempts to pass itself off as legitimate software. Once installed, it installs itself as a search engine in Safari and also injects its own advertisements into websites to earn money. It is also conceivable that private data could be tapped, reports 9to5Mac.
The battle is not over yet
However, it remains unclear whether Apple will succeed in eliminating Adload. Developers could make further adjustments and possibly bypass XProtect after all. Version v2193 of the database was recently released together with macOS 14.4.1. It is not yet possible to say exactly what is new here. The SilentKnight tool can be used to check whether all databases are up-to-date.
Apple adapted XProtect with macOS 14 alias Ventura. Since then, the so-called Malware Removal Tool (MRT) is no longer part of the operating system. Instead, XProtectRemediator (XPR) is used, which has more capabilities. There is also the XProtectBehaviorService (XBS), a routine that monitors system behavior in the background. The open-source tool Yara is used for signature-based detection of malware. How you can prevent malware on the Mac and, in the worst case, remove it, can be read in a separate article at heise+.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
