What to do if you think you have malware on your Mac
It can be alarming to discover malware on your Mac. If your computer has been infected, then your personal information and potentially your identity are at risk. While malware on Macs is relatively uncommon, the number of threats to macOS are on the rise – which makes it important to understand how to check for malware on Macs and how to remove malware from Macs.
In this article, the terms ‘malware’ and ‘virus’ are used, although they are different entities. Malware refers to malicious software, such as apps which masquerade as legitimate but carry out hostile tasks such as stealing your data. Viruses often present as small programs, designed to infect other files and programs on the computer by injecting their code. A virus causes infected files to act like a virus in turn, spreading the code further across your device.
Signs your Mac may be infected by viruses or malware
Some types of malware can remain undetected on your machine for a while, while others are more immediately noticeable. Signs to look out for include:
Your Mac is operating more slowly than usual. This could mean someone is using your machine to mine cryptocurrency or run DDoS attacks.
Your browser has a new homepage or extensions you haven’t added. This could mean your browser has been hijacked and is directing your traffic to malicious third-party sites.
You notice many more ads or pop-ups than usual. This could mean you’re a victim of adware. This type of malware generates profits (for the perpetrator, not you) from ad clicks.
You receive security alerts even without scanning your Mac. This could indicate scareware – a type of malware designed to trick you into installing more malware.
Your contacts receive spam from your accounts. If your friends say they have received spam from your email or social media accounts, it could mean your Mac has been infected with malware attempting to spread itself or other malicious programs to users.
You are unable to access personal files and see a ransom or warning note. Amongst the warning signs for malware, this one is the most clearcut. It could mean you’re the victim of a Trojan horse or ransomware – malicious software used for extortion.
How to check for malware on Mac
Here are key actions you can take to check your Mac for viruses and malware:
Check for unwanted applications
Malware can sometimes end up on your system alongside legitimate software. If you haven’t used an app for a while or don’t remember installing it, it’s best to delete it. To do this:
- Open Finder and go to the Applications folder
- Scroll through the list of apps and delete any that you don’t recognize
- Empty the Trash
Check your downloads folder
Malware generally needs to be downloaded to your Mac to install, and sometimes this can happen covertly. Check your Downloads folder to see if there’s anything you don’t recognize. If you spot unexpected apps or disk images, don’t double-click on them to identify them – instead, select their icons and hit the space bar to see their names, and when they were downloaded. If you still don’t recognize them, then delete them. Move the download files you want to keep to other folders, then delete everything else, and empty the Trash.
Once you have done that, go to Safari’s General preferences and uncheck Open “safe” files after downloading. If you keep this option enabled, some drive-by downloads – that is, downloads initiated by a web page – may launch when they get on your Mac.
Check and get rid of suspicious login items
Malware often starts working quietly as soon as you log into your Mac. To prevent this from happening:
- Click the Apple icon in the top menu
- Go to System Preferences
- Click Users & Groups
- Select Login Items
- In the lower-left portion of the pop-up, click the lock icon
- Check the boxes next to all suspicious login items
- Click the minus sign to remove the items
- To confirm your new settings, click the lock icon again
How to remove malware from Mac
If you are wondering how to remove malware or viruses from your Mac, here are the key actions to carry out:
Enter safe mode
Boot your Mac up in Safe mode – to prevent malware from loading at start up.
How to boot into Safe mode on an Intel Mac:
- Hold down Shift as soon as your Mac turns on or restarts
- When you see the login window, take your finger off the Shift key
- Log in using your usual details
- You should see Safe Boot in the top-right corner of the login screen
How to boot into Safe mode on an M1 Mac:
- Shut down your Mac. Press and hold the power button for 10 seconds
- Release it when you see the start up options window
- Choose your start up disk, then hold down Shift
- When prompted, click Continue in Safe Mode and release the Shift key
- Log in, and you should find your Mac in Safe mode
To check Safe boot is on, click the Apple logo in the top-left of your screen, then go to About This Mac > System Report > Software. Check Boot Mode says Safe.
Identify malware in Activity Monitor
Use the Activity Monitor to identify potential malware:
- Go to Applications > Utilities > Activity Monitor
- Go through the list of apps and search for ones with unusually high CPU or memory usage
- Click the X in the upper-left area of the window to close the chosen apps
- Search the corresponding file names in Finder and delete them
- Empty the Trash
Run a malware scanner
Malware scanners can remove most standard infections. Bear in mind that if you already have an antivirus program active on your computer, you should use a different scanner for this malware check since your current antivirus software may not detect the malware initially. If you believe your computer is infected, download an on-demand scanner from a trusted and reliable source and then install and run security software which provides protection against existing and emerging malware.
Check browser settings and remove unknown extensions
It is possible for hijackers to divert your traffic and spy on you or steal your data. For this reason, it’s a good idea to check your browser settings and remove unknown extensions. The process is broadly similar for all browsers, although it’s best to check your browser’s help page for specific details.
To remove unwanted Safari extensions:
1. Open Safari and go to Preferences > General
2. In the Homepage field, check the homepage address
3. If the current address looks unfamiliar, change it to a preferred page
4. Open the Extensions tab and tick boxes next to suspicious extensions
5. Click Uninstall
To remove unwanted Chrome extensions:
- In Chrome, select Window > Task Manager
- Sort the CPU column to see if any extensions are using significant processing power. Do the same with the Memory footprint and Network columns
- Now select Window > Extensions from the menu bar
- Look through the installed extensions, and click the Remove button on any that appear questionable
Clear your cache
After you have verified your homepage setting, you should clear your browser’s cache. The cache is the portion of your hard drive which stores browser files that your browser thinks it may use again. Without this feature, your browser would operate more slowly since every website you opened would need to download a large number of files from scratch each time. This is how to clear your cache on Safari and Chrome:
To clear your cache on Safari:
Select Safari > Preferences > Privacy > Manage Website Data > Remove All.
To clear your cache on Chrome:
Select Chrome > History > Clear Browsing Data > Time Range > All Time > Clear Data.
What to do if your Mac has a virus
In addition to the advice above, there are various other actions you can carry out to protect yourself if you have been infected with Mac malware – both before and after it has been removed. These include:
During the period of suspected malware infection, stay offline as much as you can. You can turn off your internet connection either by clicking the Wi-Fi icon in the upper-left corner of the menu bar and selecting Turn Wi-Fi Off, or by disconnecting the ethernet cable if you are using a wired network. Staying offline until you are sure the malware infection has been cleaned up will prevent any more of your data being sent to a malware server. However, there is one caveat: if you need to download any clean-up tools this won’ t be possible.
Avoid using your passwords and change them ASAP:
If you suspect your Mac is infected with malware or a virus, you should avoid typing any passwords or login details on your device. This is in case a hidden keylogger – a common component of malware – is running. Some keylogger-based malware or viruses take periodic screenshots, so avoid exposing any passwords by copying and pasting from a document or clicking the Show Password box that sometimes appears within dialog boxes.
To change your Mac’s login password:
Go to System Preferences > Users & Groups, then click Change Password.
To change your iCloud password:
Your iCloud password is very important since it allows access to a large volume of personal data on multiple devices. As above, if malware recorded your password as you typed it, your iCloud account could be compromised. To change this, go to System Preferences > Apple ID > Password & Security, then click Change Password. If you haven’t already done so, enable Two-Factor Authentication so no one can get into your iCloud account without an additional verification code sent to your devices.
Once you are confident you have removed any Mac malware or viruses, it’s important to change all your passwords across the board – for websites, cloud services, apps, banks and so on. Remember to use strong passwords and never reuse passwords on multiple sites or with different services. A password manager can help you keep track of numerous passwords.
Cancel bank and credit cards:
If you handed over money at any point for the malware – for example, if you paid for what you thought was a legitimate antivirus app – then contact your credit card company or bank immediately and explain the situation. This is to ensure that your credit card details aren’t used anywhere else, rather than to get a refund – although that might be possible.
Even if no money has changed hands, it’s a good idea to inform your bank or financial institution of the infection and ask their advice on what to do next. They may make a note on your account so they can be extra watchful should anybody try to access in the future. They may also issue you with new details.
Use Time Machine:
Provided you have been making regular backups on your device, it’s easy to perform a rollback of your system using Time Machine. This means you can restore your Mac from a backup made before there were any signs of a malware or virus on your machine. Apple provides advice on how to do this here.
Wipe your Mac and reinstall macOS:
Sometimes the only way to be sure you are clean of an infection is to wipe your Mac to restore it to factory settings and then reinstall macOS and all your apps from scratch. Restoring your Mac to factory settings should remove all malicious programs.
However, this is quite a drastic solution. A better option would be to use a virus scanner, which is usually a feature of antivirus software designed for Macs, as described above.
Be selective about which antivirus you use:
One thing you shouldn’t do if you think your Mac is infected with malware is to Google a description of the problem and install the first thing you find that claims to be able to fix things. This is because a lot of software that claims to be able to fix Macs is in fact malware itself or is simply fake and designed only to make you part with your cash. These apps can look convincing and professional, so tread carefully.
How to stop malware getting on to your Mac
Here are some safety tips to protect your Mac from viruses and other malicious software:
Avoid downloading malicious software
Apple has in-built protections designed to stop users from installing malicious software. For example, the company won’t allow you to install software that isn’t from a registered developer without your permission. When you try to open such an app, you will be warned that the application is from an unidentified developer. This doesn’t necessarily mean it’s malware, so usually you can open such software, but you will have to make some changes to your settings to do so:
- Open System Preferences
- Go to the Security & Privacy tab
- Click on the lock and enter your password so you can make changes
- Change the setting for ‘Allow apps downloaded from’ to ‘App Store and identified developers’ from just App Store
macOS’s Gatekeeper technology should recognise any malicious software and stop you from installing it – provided it’s not very recent (it can take Apple a few days or weeks to address new malware). Should macOS detect a malicious app it will let you know and will ask you to move it to the Trash.
However, the malware might have resembled legitimate software, such as a virus scanner that you download and installed in panic after believing yourself to be infected. That’s why it’s essential to read trusted reviews or ask for personal recommendations from others before downloading software.
Whilst Apple does offer built-in protections, there are still ways that malicious software could fool you into installing it. This kind of malware might be downloaded by you, or it might arrive via email, or perhaps even arrive via an instant message – so stay vigilant.
Be wary of fake files
Malware and viruses can sometimes be disguised as an image file, word processing or PDF document that you open either without realising what it is, or out of curiosity to see what it is – upon discovering a strange new file on your desktop, for example. That’s why it’s important not to open files that suddenly appear unless you know what they are.
The malware creator’s technique here is simply to give the malware a fake file extension – which can often succeed in deceiving users. These kinds of files often arrive via suspicious emails from contacts who you later discover have had their email hacked.
Look out for malware-loaded via legitimate files
Malware can infect your system through a flaw or security hole in your browser or other software, such as your word processor or PDF viewer. For example, an otherwise ordinary document or webpage you open contains hidden malware that then runs without you realising or opens a hole in your system for further exploitation.
Avoid fake updates or system tools
Malware can often resemble a legitimate update. Typically this might be offered via a fake warning dialog box while you are browsing. Fake updates for the Adobe Flash Player browser plugin, or fake antivirus/system optimisation apps, are a popular attack vector. Note that Adobe ended support for Adobe Flash at the end of 2020, so any invitation to download the Flash Player is fraudulent.
Don’t accept fake technical help
If you receive an unsolicited phone call which claims to be from Apple or maybe your telecoms provider, and they tell you that they believe your computer is infected and offer to walk you through some steps to repair the damage, then hang up. Their intention is to trick you into downloading malware onto your machine.
Practice cyber hygiene
For example, don’t open email attachments from people you don’t know, avoid websites you don’t trust, only download apps from trusted sources such as the App Store, use strong passwords for each account, back up important files regularly, and use an antivirus for Macs which offers real-time protection.