Beware the coming Mac malware season

If you want to understand why making it impossible to encrypt your iCloud data is a huge invitation to organized crime, I have two stories to share. The first involves a surveillance-as-a-service firm getting pwned, the second relates to a new wave of phishing focused malware migrating from Windows to macOS. 

These twin tales emerge in perfect step to maniacal government attempts to insert back doors inside encrypted data, arguing that doing so will make us safer. They won’t, of course — they’ll just make cybercrime easier, particularly for criminals armed with phished credentials who want to insert their own surveillance software inside your unencrypted online data stack. 

This comprises a perfect storm, a cauldron of misery, all being mixed up and destined to doom users everywhere.  

Not the first, not the last: SpyX

TechCrunch caught the Have I Been Pwned story that a consumer-grade spyware outfit called SpyX was breached last year. The 25th in a series of mobile surveillance-as-a-service “firms” to be breached since 2017, the company had almost two million records when the breach occurred, including data concerning Apple users.

SpyX didn’t report the breach when it happened in June 2024, which is why Have I Been Pwned exposed it.

What is SpyX? In this particular manifestation, the stalkerware is sold as a service so parents can track their kids. (It is apparently also used by suspicious partners to spy on their significant others.)

In the Apple ecosystem, the way SpyX reportedly works is to tap into people’s iCloud backups, where it quietly grabs any of your most personal unencrypted information. While this exploit also requires assailants to get hold of the target’s Apple Account data, it is important to note that in the UK government spooks seem to be demanding access without that key.

But for surveillance-as-a-service firms, the fact that you can’t use Advanced Data Protection to secure iCloud data in the UK makes undermining account security the essential next step.

Have you been pwned?

The thing is, your Apple Account ID can protect your data from such attacks, which is why you should always use a complex alphanumeric one and never share it.

However, as everyone with the even slightest bit of interest in security knows, security is only as secure as the weakest part — usually the human using the device. That, in a nutshell, is why phishing attacks are so popular, and why those attacks are becoming more and more sophisticated. Criminals know that if they can find some way to scam your account login details out of you they can jump inside your digital shoebox and grab lots of yummy information about you, your life, even your financial situation.

They don’t even need to use this data themselves; this stuff sells for good money on the Dark Web. Apple’s systems are renowned for being secure, which is why Apple IDs were being sold there for $15 a pop back in 2018.

Get a Mac

If you’ve been paying attention, you might have noticed that Apple experienced over 25% growth in Mac sales in Q4 2024, far ahead of the PC industry average, which reflects a growing Mac market share for the company.

If market analysts know that, and we know that, then well-resourced criminals are certainly cognizant of this data, which is why they’re moving to Mac. (To be fair, they have been for a while, it’s just that Windows seems to be an easier target.)

But that gravy train is switching platforms, and so are the bad guys. Cybersecurity firm LayerX recently identified a new scareware campaign jumping from Windows to Mac. These attacks are basically a phishing attack designed to trick users into entering their credentials into fake Microsoft security alerts served up via compromised websites.

The idea is to scare users into sharing their login details. 

Jaron Bradley, director of Jamf Threat Labs, explained how Mac users should approach this new attack vector. “Users should never enter their iCloud credentials outside of the official Apple website. They should also be cautious when encountering flashing warnings that prompt them to call a phone number to resolve a supposed threat. These calls often lead to scammers who promise to fix a fake issue in exchange for a fee and credit card information,” he wrote.

Open up

He’s right, because once criminals get your code, they can access your iCloud data (if left unencrypted). They can, in theory, then also infest your iCloud with the kind of scary surveillance software SpyX sells, instantly crafting a backdoor to your digital existence.

Rogue nations in which iCloud data cannot be encrypted, (not that we know who they are), leave their populations wide open to such attacks, closing the best door to protect against them.

And as these twin tales show, these threats aren’t even imaginary, they’re already here. Moral of the tale? Perhaps it’s time to return to on-device iPhone backups and to make use of Apple’s own tools to encrypt data before you put it in iCloud. 

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.