April 22, 2026·12 min read·MalwareSecurityTroubleshooting

Malware infections on macOS, while less common than on other platforms, have become increasingly sophisticated in 2026. This comprehensive guide will walk you through detecting, removing, and preventing malware on your Mac using both built-in tools and proven manual techniques.

Table of Contents

  1. Signs Your Mac May Be Infected
  2. Types of macOS Malware in 2026
  3. Pre-Removal Preparation
  4. Method 1: Using Activity Monitor
  5. Method 2: Safe Boot and Manual Removal
  6. Method 3: Using macOS Built-in Security Tools
  7. Removing Specific Malware Types
  8. Advanced Removal Techniques
  9. Post-Removal Security Hardening
  10. Prevention Best Practices
  11. FAQ

Signs Your Mac May Be Infected

Before diving into removal procedures, it's crucial to identify whether your Mac is actually infected. Here are common symptoms:

SymptomDescriptionSeverity
Slow PerformanceSystem becomes sluggish, apps take longer to launchMedium
High CPU UsageFan runs constantly, Mac feels hot even during light tasksHigh
Excessive Disk ActivityConstant disk read/write activity without apparent reasonHigh
Battery DrainBattery depletes faster than normalMedium
Unexpected CrashesApps or system crash frequentlyHigh

Visual and Behavioral Symptoms

  • Pop-up advertisements appearing even when browsers are closed
  • Browser redirects to unfamiliar search engines or websites
  • New browser extensions you didn't install
  • Homepage changes without your permission
  • Unknown applications in your Applications folder or Login Items
  • Disabled security features (Gatekeeper, XProtect warnings disappear)
  • Ransom messages demanding payment to unlock files
Signs of network compromise:
• Unusual outbound network traffic
• Inability to access security websites
• DNS settings changed without authorization
• Unknown network connections in Network Preferences
• Firewall disabled automatically

Types of macOS Malware in 2026

Understanding what you're dealing with helps determine the best removal approach:

1. Adware

Characteristics:

  • Most common type on macOS
  • Displays unwanted advertisements
  • Redirects web searches
  • Tracks browsing habits

Common Examples (2026):

  • SearchBaron variants
  • Pirrit family
  • Bundlore/Shlayer derivatives

2. Spyware

Characteristics:

  • Monitors user activity silently
  • Steals credentials and personal data
  • Often masquerades as legitimate software
  • Can record keystrokes and screenshots

Detection Difficulty: High

3. Ransomware

Characteristics:

  • Encrypts user files
  • Demands payment for decryption
  • Relatively rare on macOS but increasing

Notable Strains:

  • EvilQuest (OSX.ThiefQuest)
  • LockBit macOS variant (emerged 2024)
  • KeRanger evolution

4. Trojans

Characteristics:

  • Disguises as legitimate software
  • Provides backdoor access
  • Can download additional malware

Common Delivery Methods:

  • Pirated software
  • Fake Flash/Java updates
  • Compromised websites

5. Cryptocurrency Miners

Characteristics:

  • Uses system resources to mine cryptocurrency
  • Causes high CPU usage and heat
  • Significantly impacts performance

Indicators:

  • Constant 100% CPU usage
  • Process names like "mshelper" or random strings

Pre-Removal Preparation

Before attempting malware removal, take these essential steps:

1. Disconnect from Internet

# Turn off Wi-Fi via command line
sudo ifconfig en0 down

# Or use System Settings
# System Settings > Wi-Fi > Turn Wi-Fi Off

Why: Prevents malware from receiving commands, spreading, or exfiltrating data.

2. Back Up Critical Data

Important: Only back up personal documents, not applications or system files that might be infected.

# Create a backup of Documents folder only
mkdir ~/Desktop/SafeBackup
cp -R ~/Documents ~/Desktop/SafeBackup/

3. Document the Infection

Take screenshots or notes about:

  • Suspicious processes in Activity Monitor
  • Unknown login items
  • Browser extensions
  • Error messages or ransom notes

4. Prepare Recovery Tools

Have ready:

  • macOS Recovery (built-in)
  • External bootable macOS installer (optional)
  • Secondary device for research

Method 1: Using Activity Monitor

Activity Monitor is your first line of defense for identifying malicious processes.

Step 1: Open Activity Monitor

Applications > Utilities > Activity Monitor
Or use Spotlight: Cmd + Space, type "Activity Monitor"

Step 2: Identify Suspicious Processes

Look for processes with these characteristics:

Red FlagWhat to Look ForExample
High CPU UsageProcesses using >50% CPU constantlymshelper, com.apple.photos.ImageConversionService (fake)
Random NamesGibberish or random character namesaG7d9kL2, xxyyzz
Hidden ProcessesNames starting with periods.updater, .systemd
Suspicious LocationsRunning from /tmp, ~/Library/LaunchAgentsAny process from /tmp
Multiple InstancesSame process running many timesMultiple mds or mds_stores

Step 3: Research Unknown Processes

Before terminating anything:

# Check process location
ps aux | grep [process_name]

# Example output:
# user  12345  95.0  2.0  /tmp/.unknown/malware

Safe to ignore (legitimate processes):

  • kernel_task (macOS core)
  • WindowServer (display management)
  • mds_stores (Spotlight indexing)
  • Google Chrome Helper (if Chrome is open)

Step 4: Force Quit Suspicious Processes

  1. Select the suspicious process
  2. Click the ⊗ (X) button in Activity Monitor toolbar
  3. Choose Force Quit

Note: Malware may respawn. Proceed to manual removal.

Method 2: Safe Boot and Manual Removal

Safe Boot loads only essential system extensions and can prevent malware from launching.

Entering Safe Mode

For Apple Silicon Macs:

  1. Shut down your Mac completely
  2. Press and hold the Power button until "Loading startup options" appears
  3. Select your startup disk
  4. Press and hold Shift, then click Continue in Safe Mode
  5. Release Shift when you see the login window

For Intel Macs:

  1. Shut down your Mac
  2. Press the Power button
  3. Immediately press and hold Shift
  4. Release when you see the login window
  5. Log in (you may need to log in twice)

Verification: You'll see "Safe Boot" in red in the menu bar.

What Safe Boot Does

Automatic actions during Safe Boot:
✓ Deletes system cache files
✓ Disables third-party kernel extensions
✓ Loads only essential system extensions
✓ Disables login items
✓ Runs First Aid on the startup disk

Manual Malware Removal Locations

Check and remove suspicious items from these locations:

1. Login Items

System Settings > General > Login Items & Extensions

Remove anything unfamiliar or suspicious.

2. Launch Agents and Daemons

User-Level (most common for malware):

# List user launch agents
ls -la ~/Library/LaunchAgents/

# Common malware locations
~/Library/LaunchAgents/com.unknown.*
~/Library/LaunchAgents/.[any_name]

System-Level (requires admin access):

# List system launch agents
ls -la /Library/LaunchAgents/

# List system launch daemons
ls -la /Library/LaunchDaemons/

How to Remove:

# First, unload the agent
launchctl unload ~/Library/LaunchAgents/[suspicious_file].plist

# Then delete the file
rm ~/Library/LaunchAgents/[suspicious_file].plist

# Check if there's an associated executable
# Plist files often reference executables in:
~/Library/Application Support/

3. Browser Extensions

Safari:

Safari > Settings > Extensions

Chrome:

Chrome > Settings > Extensions
Or visit: chrome://extensions/

Firefox:

Firefox > Add-ons and Themes
Or visit: about:addons

Remove extensions you don't recognize or didn't intentionally install.

4. Application Support

# Check for suspicious folders
ls -la ~/Library/Application\ Support/

# Common malware patterns
~/Library/Application Support/.[hidden_folder]
~/Library/Application Support/[random_string]

5. Preferences and Caches

# List preferences
ls -la ~/Library/Preferences/

# Look for recently modified files
ls -lart ~/Library/Preferences/ | tail -20

# Check caches
ls -la ~/Library/Caches/

Complete Removal Checklist

  • Check and remove from Login Items
  • Scan ~/Library/LaunchAgents/
  • Scan /Library/LaunchAgents/
  • Scan /Library/LaunchDaemons/
  • Remove browser extensions
  • Delete from Applications folder
  • Clear ~/Library/Application Support/
  • Remove preference files
  • Clear cache folders
  • Empty Trash securely

Method 3: Using macOS Built-in Security Tools

XProtect and Malware Removal Tool (MRT)

macOS includes silent malware protection that runs automatically:

Check XProtect Version

# View XProtect version and last update
system_profiler SPInstallHistoryDataType | grep -A 4 "XProtect"

# Expected output shows recent updates
# XProtectPlistConfigData should be recent (within 1-2 weeks)

Force Update XProtect

# Trigger Software Update
softwareupdate --list

# Install all updates including security
sudo softwareupdate --install --all

Malware Removal Tool (MRT)

MRT runs silently in the background. To check if it's working:

# Check MRT version
ls -l /Library/Apple/System/Library/CoreServices/MRT.app

# View MRT logs
log show --predicate 'subsystem == "com.apple.MRT"' --last 7d

Gatekeeper Reset

If Gatekeeper has been disabled by malware:

# Check Gatekeeper status
spctl --status

# Expected output: "assessments enabled"

# If disabled, re-enable
sudo spctl --master-enable

System Integrity Protection (SIP) Verification

# Check SIP status
csrutil status

# Expected: "System Integrity Protection status: enabled"

If SIP is disabled and you didn't disable it:

  1. Restart in Recovery Mode
    • Apple Silicon: Hold Power, select Options
    • Intel: Restart, hold Cmd+R
  2. Open Terminal from Utilities menu
  3. Enable SIP:
    csrutil enable
    
  4. Restart normally

Removing Specific Malware Types

Adware Removal (SearchBaron, Pirrit)

Characteristics:

  • Changes default search engine
  • Injects ads into web pages
  • Creates browser profiles

Removal Steps:

# 1. Remove malicious profiles
ls ~/Library/Application\ Support/Google/Chrome/
# Look for "Profile [number]" folders you didn't create
rm -rf ~/Library/Application\ Support/Google/Chrome/Profile\ [X]

# 2. Reset browser settings
# Safari: Safari > Settings > Search > Select Google/DuckDuckGo
# Chrome: Settings > Search engine > Manage search engines

# 3. Remove DNS overrides
# System Settings > Network > [Your Connection] > Details > DNS
# Remove any unfamiliar DNS servers

# 4. Common adware locations
rm -rf ~/Library/Application\ Support/SearchBaron*
rm -rf ~/Library/Application\ Support/.unknownApp
launchctl unload ~/Library/LaunchAgents/com.SearchBaron.*
rm ~/Library/LaunchAgents/com.SearchBaron.*

Cryptocurrency Miner Removal

Common Process Names:

  • mshelper
  • pplauncher
  • Creative Cloud
  • Random strings

Removal:

# 1. Find the process
ps aux | grep -i [suspicious_name]

# 2. Get the full path
lsof -p [PID]

# 3. Kill the process
kill -9 [PID]

# 4. Remove the executable
rm [path_to_executable]

# 5. Remove persistence mechanism
# Check LaunchAgents and LaunchDaemons
find ~/Library/LaunchAgents -name "*[related_name]*"
find /Library/LaunchAgents -name "*[related_name]*"

# 6. Remove
launchctl unload [plist_path]
rm [plist_path]

Trojan Removal (Bundled Installers)

Common Delivery: Pirated apps, fake updaters

Removal:

# 1. Identify the installation package
pkgutil --pkgs | grep -i [suspicious_name]

# 2. Get package info
pkgutil --pkg-info [package_id]

# 3. List installed files
pkgutil --files [package_id] > /tmp/malware_files.txt

# 4. Review and remove (carefully!)
cat /tmp/malware_files.txt
# Manually delete suspicious files

# 5. Forget the package
sudo pkgutil --forget [package_id]

Advanced Removal Techniques

Using Terminal for Deep Scanning

Find Recently Modified Files

# Files modified in last 7 days in Library
find ~/Library -type f -mtime -7 -ls

# Files created in last 24 hours
find ~/Library -type f -newermt "24 hours ago" -ls

# Executable files in unusual locations
find ~ -type f -perm +111 -path "*/Library/*" -ls

Identify Network Connections

# List all network connections
sudo lsof -i -P | grep ESTABLISHED

# Look for connections to suspicious IPs
# Research unfamiliar connections at virustotal.com

Check Startup Items

# List all launch agents/daemons
sudo launchctl list

# Show loaded services
launchctl list | grep -v "com.apple"

# Get info about specific service
launchctl list | grep [service_name]

Kernel Extension Check

# List loaded kernel extensions (kexts)
kextstat

# Third-party kexts (most should be from com.apple)
kextstat | grep -v com.apple

# Unload suspicious kext
sudo kextunload -b [bundle_id]

# Remove kext
sudo rm -rf /Library/Extensions/[kext_name].kext

Profile Removal

Malware sometimes installs configuration profiles:

System Settings > Privacy & Security > Profiles

Remove any unfamiliar profiles.

Or via Terminal:

# List profiles
sudo profiles list

# Remove profile
sudo profiles remove -identifier [profile_id]

Post-Removal Security Hardening

After removing malware, strengthen your defenses:

1. Change All Passwords

Priority order:

  1. Apple ID password (most critical)
  2. Email account passwords
  3. Banking and financial accounts
  4. Social media accounts
  5. Other online services

Use Keychain Access to audit:

Applications > Utilities > Keychain Access

Review saved passwords and update compromised accounts.

2. Enable FileVault

System Settings > Privacy & Security > FileVault > Turn On

Encrypts your entire disk, protecting against physical attacks.

3. Enable Firewall

System Settings > Network > Firewall > Turn On

Recommended settings:

  • Block all incoming connections
  • Enable stealth mode
# Via Terminal
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

4. Verify Security Settings

# Run security audit
sudo /usr/sbin/system_profiler SPSecurityDataType

# Check for security updates
softwareupdate --list

5. Review App Permissions

System Settings > Privacy & Security

Review and revoke unnecessary permissions for:

  • Location Services
  • Contacts
  • Calendar
  • Camera
  • Microphone
  • Files and Folders
  • Full Disk Access

6. Clear Browser Data

Safari:

Safari > Settings > Privacy > Manage Website Data > Remove All
History > Clear History > All history

Chrome:

Settings > Privacy and security > Clear browsing data
Time range: All time
[x] Cookies and other site data
[x] Cached images and files

7. Audit Third-Party Software

# List installed applications
ls -la /Applications/
ls -la ~/Applications/

# Check for unfamiliar apps
# Uninstall anything suspicious

Proper uninstallation:

  • Use app's uninstaller if available
  • Or drag to Trash and remove support files
  • Use AppCleaner (free tool) for complete removal

Prevention Best Practices

Download Safety

Source TypeSafety LevelNotes
Mac App Store✅ SafestVetted by Apple, sandboxed
Verified Developer✅ SafeCheck signature, avoid if Gatekeeper warns
Official Website⚠️ CautionVerify URL carefully, check for HTTPS
Third-Party Sites⚠️ High RiskOnly use reputable sources (GitHub, SourceForge)
Torrents/Warez❌ DangerousAlmost always contains malware

Safe Browsing Habits

✓ Keep macOS and apps updated
✓ Only install extensions from official stores
✓ Verify download URLs before clicking
✓ Use ad-blocker (uBlock Origin)
✓ Enable "Warn when visiting fraudulent websites" in Safari
✓ Avoid clicking on pop-up ads
✓ Be skeptical of "urgent" security warnings

Email Security

Red flags:

  • Unexpected attachments
  • "Urgent" requests for personal information
  • Sender address doesn't match organization
  • Poor grammar or spelling
  • Links that don't match displayed text

Verify links:

# Hover over links to see actual destination
# Look for:
# • Misspellings (app1e.com instead of apple.com)
# • Extra characters (apple.security-check.com)
# • Wrong domain extensions (.tk, .xyz often used for phishing)

Software Update Discipline

# Check for updates weekly
softwareupdate --list

# Install automatically
sudo softwareupdate --schedule on

# Or use System Settings
# System Settings > General > Software Update
# [x] Automatic updates

Use Standard User Account

Create a separate admin account and use a standard account for daily work:

System Settings > Users & Groups > Add Account
Account type: Standard

This prevents malware from installing system-level components without admin password.

FAQ

Can Macs get viruses?

Yes, but terminology matters. True "viruses" (self-replicating code that modifies other programs) are extremely rare on macOS. However, Macs can and do get:

  • Adware (most common)
  • Trojans (disguised malicious apps)
  • Spyware (data-stealing software)
  • Ransomware (rare but increasing)

macOS's Unix foundation, Gatekeeper, XProtect, and sandboxing make it more resistant than Windows, but no system is immune.

Do I need antivirus software on Mac?

For most users: No. macOS includes robust built-in protection:

  • XProtect: Anti-malware scanning
  • MRT: Malware Removal Tool
  • Gatekeeper: Verifies app signatures
  • Sandboxing: Isolates App Store apps
  • Notarization: Developer verification

Consider third-party antivirus if:

  • You regularly download from untrusted sources
  • You open email attachments frequently
  • You need compliance with corporate policies
  • You want real-time web protection
  • You share files with Windows users

How do I know if malware removal was successful?

Verification checklist:

# 1. Check Activity Monitor
# No suspicious processes with high CPU usage

# 2. Verify no unexpected network activity
sudo lsof -i -P | grep ESTABLISHED

# 3. Check Launch Agents/Daemons are clean
ls ~/Library/LaunchAgents/
ls /Library/LaunchAgents/

# 4. Browser behavior is normal
# No redirects, no unwanted ads, correct homepage

# 5. System performance restored
# Normal CPU/memory usage, battery life improved

# 6. Security features enabled
spctl --status  # Should show "enabled"
csrutil status  # Should show "enabled"

Monitor for 1-2 weeks. If symptoms return, deeper infection may exist.

What is the safest way to download apps?

Priority order:

  1. Mac App Store (safest)

    • All apps reviewed by Apple
    • Sandboxed (limited system access)
    • Automatic updates
  2. Developer's Official Website

    • Verify URL carefully (https://www.adobe.com, not adobe-downloads.com)
    • Check for Apple Developer ID signature
    • Download direct, not through download managers
  3. Reputable Third-Party Sources

    • GitHub (for open source)
    • MacUpdate, Download.com (with caution)
    • Always verify checksums if provided

Never:

  • Torrent sites
  • Warez/"cracked" software sites
  • Random forums or file-sharing sites
  • Download managers or "installers" for free software

Can I get malware from email?

Rarely from just opening an email, but yes from:

  1. Email attachments

    • Especially: .dmg, .pkg, .zip, .js, .app
    • Office documents with macros (requires enabling)
    • Never open unexpected attachments
  2. Links in emails

    • Phishing sites that steal credentials
    • Drive-by downloads (rare on macOS)
    • Always verify sender before clicking
  3. HTML emails

    • Can contain tracking pixels (privacy concern)
    • Can be spoofed to look legitimate

Protection:

  • Use Mail's "Load Remote Content" setting (off by default for unknown senders)
  • Hover over links before clicking
  • Verify sender email address carefully
  • When in doubt, contact sender through separate means

How often should I scan for malware?

Built-in protection runs automatically:

  • XProtect scans downloads immediately
  • MRT runs daily in background
  • No manual scanning needed

Manual checks recommended:

  • Monthly: Review Activity Monitor for suspicious processes
  • Quarterly: Audit Login Items and LaunchAgents
  • After risky activity: Downloaded from untrusted source, opened suspicious email
  • When experiencing symptoms: Slowdowns, pop-ups, unusual behavior

If using third-party antivirus:

  • Quick scan: Weekly
  • Full scan: Monthly

What should I do if I paid a ransom?

If you've already paid:

  1. Contact your bank/credit card immediately

    • Report fraudulent charge
    • Request chargeback
    • Cancel card and request new one
  2. Do NOT expect file recovery

    • Most ransomware operators don't decrypt after payment
    • Payment encourages more attacks
  3. Report to authorities

    • FBI's IC3: https://www.ic3.gov
    • Local law enforcement
    • Apple (via Apple Security)
  4. Document everything

    • Screenshots of ransom message
    • Payment transaction details
    • All communications
  5. Restore from backups

    • If you have Time Machine or cloud backups
    • Verify backups are clean before restoring

Prevention is critical: Regular backups make ransomware ineffective.

Can malware survive a macOS reinstall?

Usually no, but with caveats:

Clean macOS reinstall removes:

  • All user-installed applications
  • User data and malware in user folders
  • System-level malware (if you erase the disk first)

Potential survival scenarios:

  1. If you restore from infected backup

    • Malware reinstalls with your data
    • Always verify backups are clean
  2. EFI/Firmware malware (extremely rare)

    • Persists in firmware, below OS level
    • Requires firmware update or Apple service
    • No confirmed cases on Apple Silicon Macs
  3. If you migrate data without erasing

    • "Upgrade install" may preserve malware
    • Always choose "Erase and Install" for infected systems

Proper clean install procedure:

  1. Boot to Recovery Mode
  2. Use Disk Utility to Erase the disk (APFS encrypted)
  3. Reinstall macOS
  4. Manually copy only personal files (not apps)
  5. Reinstall apps fresh from trusted sources

Is my data stolen if I had spyware?

Assume yes, and take action:

  1. Change all passwords immediately

    • Use a different, uninfected device
    • Start with Apple ID, email, banking
    • Enable 2FA everywhere possible
  2. Monitor accounts for fraud

    • Bank statements
    • Credit report (free annual at annualcreditreport.com)
    • Unusual account activity
  3. Review what was accessible

    • Documents in ~/Documents, ~/Downloads
    • Browser passwords (if not using Keychain)
    • Email content
    • Screenshots/webcam (if spyware had permissions)
  4. Consider fraud alert or credit freeze

    • If sensitive data was accessible
    • Contact credit bureaus
  5. Notify affected parties

    • If business data was compromised
    • Legal obligations may apply (GDPR, etc.)

Spyware capabilities depend on permissions granted. macOS permission system limits damage if you didn't grant Full Disk Access.

Can I trust "free" malware removal tools?

Be very cautious. Many "free" Mac cleaners are actually malware or scareware themselves.

Avoid:

  • MacKeeper (aggressive marketing, questionable practices)
  • Advanced Mac Cleaner (actual malware)
  • Mac Auto Fixer (scareware)
  • Any software that "scans" before you download
  • Pop-up ads claiming your Mac is infected

Trustworthy options:

ToolTypeCostRecommendation
Built-in ToolsIncluded with macOSFree✅ Try first
Malwarebytes for MacAnti-malwareFree/Premium✅ Trusted
KnockKnockLaunchAgent scannerFree✅ Good for detection
BlockBlockPersistence monitoringFree✅ Prevention tool

Red flags for fake cleaners:

  • Claims to find 100+ issues in first scan
  • Requires payment to "fix" issues
  • Downloaded from pop-up ad
  • Aggressive scare tactics
  • Requests admin password immediately

Always download from developer's official website, never from ads.


Conclusion

Removing malware from macOS requires methodical investigation and careful removal of all malicious components. While macOS includes strong built-in protections, user vigilance remains the best defense. By understanding the signs of infection, using Safe Boot and Activity Monitor, manually removing malicious files, and implementing the prevention practices outlined in this guide, you can keep your Mac secure in 2026 and beyond.

Remember:

  • ✅ Keep macOS and apps updated
  • ✅ Only download from trusted sources
  • ✅ Be skeptical of urgent security warnings
  • ✅ Use built-in tools before third-party software
  • ✅ Maintain regular backups
  • ✅ Review permissions and login items periodically

If you're facing a persistent infection that manual removal can't solve, consider consulting with Apple Support or a certified Mac technician. Prevention through safe computing habits is far easier than remediation.