Malware infections on macOS, while less common than on other platforms, have become increasingly sophisticated in 2026. This comprehensive guide will walk you through detecting, removing, and preventing malware on your Mac using both built-in tools and proven manual techniques.
Table of Contents
- Signs Your Mac May Be Infected
- Types of macOS Malware in 2026
- Pre-Removal Preparation
- Method 1: Using Activity Monitor
- Method 2: Safe Boot and Manual Removal
- Method 3: Using macOS Built-in Security Tools
- Removing Specific Malware Types
- Advanced Removal Techniques
- Post-Removal Security Hardening
- Prevention Best Practices
- FAQ
Signs Your Mac May Be Infected
Before diving into removal procedures, it's crucial to identify whether your Mac is actually infected. Here are common symptoms:
Performance-Related Symptoms
| Symptom | Description | Severity |
|---|---|---|
| Slow Performance | System becomes sluggish, apps take longer to launch | Medium |
| High CPU Usage | Fan runs constantly, Mac feels hot even during light tasks | High |
| Excessive Disk Activity | Constant disk read/write activity without apparent reason | High |
| Battery Drain | Battery depletes faster than normal | Medium |
| Unexpected Crashes | Apps or system crash frequently | High |
Visual and Behavioral Symptoms
- Pop-up advertisements appearing even when browsers are closed
- Browser redirects to unfamiliar search engines or websites
- New browser extensions you didn't install
- Homepage changes without your permission
- Unknown applications in your Applications folder or Login Items
- Disabled security features (Gatekeeper, XProtect warnings disappear)
- Ransom messages demanding payment to unlock files
Network-Related Symptoms
Signs of network compromise:
• Unusual outbound network traffic
• Inability to access security websites
• DNS settings changed without authorization
• Unknown network connections in Network Preferences
• Firewall disabled automatically
Types of macOS Malware in 2026
Understanding what you're dealing with helps determine the best removal approach:
1. Adware
Characteristics:
- Most common type on macOS
- Displays unwanted advertisements
- Redirects web searches
- Tracks browsing habits
Common Examples (2026):
- SearchBaron variants
- Pirrit family
- Bundlore/Shlayer derivatives
2. Spyware
Characteristics:
- Monitors user activity silently
- Steals credentials and personal data
- Often masquerades as legitimate software
- Can record keystrokes and screenshots
Detection Difficulty: High
3. Ransomware
Characteristics:
- Encrypts user files
- Demands payment for decryption
- Relatively rare on macOS but increasing
Notable Strains:
- EvilQuest (OSX.ThiefQuest)
- LockBit macOS variant (emerged 2024)
- KeRanger evolution
4. Trojans
Characteristics:
- Disguises as legitimate software
- Provides backdoor access
- Can download additional malware
Common Delivery Methods:
- Pirated software
- Fake Flash/Java updates
- Compromised websites
5. Cryptocurrency Miners
Characteristics:
- Uses system resources to mine cryptocurrency
- Causes high CPU usage and heat
- Significantly impacts performance
Indicators:
- Constant 100% CPU usage
- Process names like "mshelper" or random strings
Pre-Removal Preparation
Before attempting malware removal, take these essential steps:
1. Disconnect from Internet
# Turn off Wi-Fi via command line
sudo ifconfig en0 down
# Or use System Settings
# System Settings > Wi-Fi > Turn Wi-Fi Off
Why: Prevents malware from receiving commands, spreading, or exfiltrating data.
2. Back Up Critical Data
Important: Only back up personal documents, not applications or system files that might be infected.
# Create a backup of Documents folder only
mkdir ~/Desktop/SafeBackup
cp -R ~/Documents ~/Desktop/SafeBackup/
3. Document the Infection
Take screenshots or notes about:
- Suspicious processes in Activity Monitor
- Unknown login items
- Browser extensions
- Error messages or ransom notes
4. Prepare Recovery Tools
Have ready:
- macOS Recovery (built-in)
- External bootable macOS installer (optional)
- Secondary device for research
Method 1: Using Activity Monitor
Activity Monitor is your first line of defense for identifying malicious processes.
Step 1: Open Activity Monitor
Applications > Utilities > Activity Monitor
Or use Spotlight: Cmd + Space, type "Activity Monitor"
Step 2: Identify Suspicious Processes
Look for processes with these characteristics:
| Red Flag | What to Look For | Example |
|---|---|---|
| High CPU Usage | Processes using >50% CPU constantly | mshelper, com.apple.photos.ImageConversionService (fake) |
| Random Names | Gibberish or random character names | aG7d9kL2, xxyyzz |
| Hidden Processes | Names starting with periods | .updater, .systemd |
| Suspicious Locations | Running from /tmp, ~/Library/LaunchAgents | Any process from /tmp |
| Multiple Instances | Same process running many times | Multiple mds or mds_stores |
Step 3: Research Unknown Processes
Before terminating anything:
# Check process location
ps aux | grep [process_name]
# Example output:
# user 12345 95.0 2.0 /tmp/.unknown/malware
Safe to ignore (legitimate processes):
kernel_task(macOS core)WindowServer(display management)mds_stores(Spotlight indexing)Google Chrome Helper(if Chrome is open)
Step 4: Force Quit Suspicious Processes
- Select the suspicious process
- Click the ⊗ (X) button in Activity Monitor toolbar
- Choose Force Quit
Note: Malware may respawn. Proceed to manual removal.
Method 2: Safe Boot and Manual Removal
Safe Boot loads only essential system extensions and can prevent malware from launching.
Entering Safe Mode
For Apple Silicon Macs:
- Shut down your Mac completely
- Press and hold the Power button until "Loading startup options" appears
- Select your startup disk
- Press and hold Shift, then click Continue in Safe Mode
- Release Shift when you see the login window
For Intel Macs:
- Shut down your Mac
- Press the Power button
- Immediately press and hold Shift
- Release when you see the login window
- Log in (you may need to log in twice)
Verification: You'll see "Safe Boot" in red in the menu bar.
What Safe Boot Does
Automatic actions during Safe Boot:
✓ Deletes system cache files
✓ Disables third-party kernel extensions
✓ Loads only essential system extensions
✓ Disables login items
✓ Runs First Aid on the startup disk
Manual Malware Removal Locations
Check and remove suspicious items from these locations:
1. Login Items
System Settings > General > Login Items & Extensions
Remove anything unfamiliar or suspicious.
2. Launch Agents and Daemons
User-Level (most common for malware):
# List user launch agents
ls -la ~/Library/LaunchAgents/
# Common malware locations
~/Library/LaunchAgents/com.unknown.*
~/Library/LaunchAgents/.[any_name]
System-Level (requires admin access):
# List system launch agents
ls -la /Library/LaunchAgents/
# List system launch daemons
ls -la /Library/LaunchDaemons/
How to Remove:
# First, unload the agent
launchctl unload ~/Library/LaunchAgents/[suspicious_file].plist
# Then delete the file
rm ~/Library/LaunchAgents/[suspicious_file].plist
# Check if there's an associated executable
# Plist files often reference executables in:
~/Library/Application Support/
3. Browser Extensions
Safari:
Safari > Settings > Extensions
Chrome:
Chrome > Settings > Extensions
Or visit: chrome://extensions/
Firefox:
Firefox > Add-ons and Themes
Or visit: about:addons
Remove extensions you don't recognize or didn't intentionally install.
4. Application Support
# Check for suspicious folders
ls -la ~/Library/Application\ Support/
# Common malware patterns
~/Library/Application Support/.[hidden_folder]
~/Library/Application Support/[random_string]
5. Preferences and Caches
# List preferences
ls -la ~/Library/Preferences/
# Look for recently modified files
ls -lart ~/Library/Preferences/ | tail -20
# Check caches
ls -la ~/Library/Caches/
Complete Removal Checklist
- Check and remove from Login Items
- Scan ~/Library/LaunchAgents/
- Scan /Library/LaunchAgents/
- Scan /Library/LaunchDaemons/
- Remove browser extensions
- Delete from Applications folder
- Clear ~/Library/Application Support/
- Remove preference files
- Clear cache folders
- Empty Trash securely
Method 3: Using macOS Built-in Security Tools
XProtect and Malware Removal Tool (MRT)
macOS includes silent malware protection that runs automatically:
Check XProtect Version
# View XProtect version and last update
system_profiler SPInstallHistoryDataType | grep -A 4 "XProtect"
# Expected output shows recent updates
# XProtectPlistConfigData should be recent (within 1-2 weeks)
Force Update XProtect
# Trigger Software Update
softwareupdate --list
# Install all updates including security
sudo softwareupdate --install --all
Malware Removal Tool (MRT)
MRT runs silently in the background. To check if it's working:
# Check MRT version
ls -l /Library/Apple/System/Library/CoreServices/MRT.app
# View MRT logs
log show --predicate 'subsystem == "com.apple.MRT"' --last 7d
Gatekeeper Reset
If Gatekeeper has been disabled by malware:
# Check Gatekeeper status
spctl --status
# Expected output: "assessments enabled"
# If disabled, re-enable
sudo spctl --master-enable
System Integrity Protection (SIP) Verification
# Check SIP status
csrutil status
# Expected: "System Integrity Protection status: enabled"
If SIP is disabled and you didn't disable it:
- Restart in Recovery Mode
- Apple Silicon: Hold Power, select Options
- Intel: Restart, hold Cmd+R
- Open Terminal from Utilities menu
- Enable SIP:
csrutil enable - Restart normally
Removing Specific Malware Types
Adware Removal (SearchBaron, Pirrit)
Characteristics:
- Changes default search engine
- Injects ads into web pages
- Creates browser profiles
Removal Steps:
# 1. Remove malicious profiles
ls ~/Library/Application\ Support/Google/Chrome/
# Look for "Profile [number]" folders you didn't create
rm -rf ~/Library/Application\ Support/Google/Chrome/Profile\ [X]
# 2. Reset browser settings
# Safari: Safari > Settings > Search > Select Google/DuckDuckGo
# Chrome: Settings > Search engine > Manage search engines
# 3. Remove DNS overrides
# System Settings > Network > [Your Connection] > Details > DNS
# Remove any unfamiliar DNS servers
# 4. Common adware locations
rm -rf ~/Library/Application\ Support/SearchBaron*
rm -rf ~/Library/Application\ Support/.unknownApp
launchctl unload ~/Library/LaunchAgents/com.SearchBaron.*
rm ~/Library/LaunchAgents/com.SearchBaron.*
Cryptocurrency Miner Removal
Common Process Names:
mshelperpplauncherCreative Cloud- Random strings
Removal:
# 1. Find the process
ps aux | grep -i [suspicious_name]
# 2. Get the full path
lsof -p [PID]
# 3. Kill the process
kill -9 [PID]
# 4. Remove the executable
rm [path_to_executable]
# 5. Remove persistence mechanism
# Check LaunchAgents and LaunchDaemons
find ~/Library/LaunchAgents -name "*[related_name]*"
find /Library/LaunchAgents -name "*[related_name]*"
# 6. Remove
launchctl unload [plist_path]
rm [plist_path]
Trojan Removal (Bundled Installers)
Common Delivery: Pirated apps, fake updaters
Removal:
# 1. Identify the installation package
pkgutil --pkgs | grep -i [suspicious_name]
# 2. Get package info
pkgutil --pkg-info [package_id]
# 3. List installed files
pkgutil --files [package_id] > /tmp/malware_files.txt
# 4. Review and remove (carefully!)
cat /tmp/malware_files.txt
# Manually delete suspicious files
# 5. Forget the package
sudo pkgutil --forget [package_id]
Advanced Removal Techniques
Using Terminal for Deep Scanning
Find Recently Modified Files
# Files modified in last 7 days in Library
find ~/Library -type f -mtime -7 -ls
# Files created in last 24 hours
find ~/Library -type f -newermt "24 hours ago" -ls
# Executable files in unusual locations
find ~ -type f -perm +111 -path "*/Library/*" -ls
Identify Network Connections
# List all network connections
sudo lsof -i -P | grep ESTABLISHED
# Look for connections to suspicious IPs
# Research unfamiliar connections at virustotal.com
Check Startup Items
# List all launch agents/daemons
sudo launchctl list
# Show loaded services
launchctl list | grep -v "com.apple"
# Get info about specific service
launchctl list | grep [service_name]
Kernel Extension Check
# List loaded kernel extensions (kexts)
kextstat
# Third-party kexts (most should be from com.apple)
kextstat | grep -v com.apple
# Unload suspicious kext
sudo kextunload -b [bundle_id]
# Remove kext
sudo rm -rf /Library/Extensions/[kext_name].kext
Profile Removal
Malware sometimes installs configuration profiles:
System Settings > Privacy & Security > Profiles
Remove any unfamiliar profiles.
Or via Terminal:
# List profiles
sudo profiles list
# Remove profile
sudo profiles remove -identifier [profile_id]
Post-Removal Security Hardening
After removing malware, strengthen your defenses:
1. Change All Passwords
Priority order:
- Apple ID password (most critical)
- Email account passwords
- Banking and financial accounts
- Social media accounts
- Other online services
Use Keychain Access to audit:
Applications > Utilities > Keychain Access
Review saved passwords and update compromised accounts.
2. Enable FileVault
System Settings > Privacy & Security > FileVault > Turn On
Encrypts your entire disk, protecting against physical attacks.
3. Enable Firewall
System Settings > Network > Firewall > Turn On
Recommended settings:
- Block all incoming connections
- Enable stealth mode
# Via Terminal
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
4. Verify Security Settings
# Run security audit
sudo /usr/sbin/system_profiler SPSecurityDataType
# Check for security updates
softwareupdate --list
5. Review App Permissions
System Settings > Privacy & Security
Review and revoke unnecessary permissions for:
- Location Services
- Contacts
- Calendar
- Camera
- Microphone
- Files and Folders
- Full Disk Access
6. Clear Browser Data
Safari:
Safari > Settings > Privacy > Manage Website Data > Remove All
History > Clear History > All history
Chrome:
Settings > Privacy and security > Clear browsing data
Time range: All time
[x] Cookies and other site data
[x] Cached images and files
7. Audit Third-Party Software
# List installed applications
ls -la /Applications/
ls -la ~/Applications/
# Check for unfamiliar apps
# Uninstall anything suspicious
Proper uninstallation:
- Use app's uninstaller if available
- Or drag to Trash and remove support files
- Use AppCleaner (free tool) for complete removal
Prevention Best Practices
Download Safety
| Source Type | Safety Level | Notes |
|---|---|---|
| Mac App Store | ✅ Safest | Vetted by Apple, sandboxed |
| Verified Developer | ✅ Safe | Check signature, avoid if Gatekeeper warns |
| Official Website | ⚠️ Caution | Verify URL carefully, check for HTTPS |
| Third-Party Sites | ⚠️ High Risk | Only use reputable sources (GitHub, SourceForge) |
| Torrents/Warez | ❌ Dangerous | Almost always contains malware |
Safe Browsing Habits
✓ Keep macOS and apps updated
✓ Only install extensions from official stores
✓ Verify download URLs before clicking
✓ Use ad-blocker (uBlock Origin)
✓ Enable "Warn when visiting fraudulent websites" in Safari
✓ Avoid clicking on pop-up ads
✓ Be skeptical of "urgent" security warnings
Email Security
Red flags:
- Unexpected attachments
- "Urgent" requests for personal information
- Sender address doesn't match organization
- Poor grammar or spelling
- Links that don't match displayed text
Verify links:
# Hover over links to see actual destination
# Look for:
# • Misspellings (app1e.com instead of apple.com)
# • Extra characters (apple.security-check.com)
# • Wrong domain extensions (.tk, .xyz often used for phishing)
Software Update Discipline
# Check for updates weekly
softwareupdate --list
# Install automatically
sudo softwareupdate --schedule on
# Or use System Settings
# System Settings > General > Software Update
# [x] Automatic updates
Use Standard User Account
Create a separate admin account and use a standard account for daily work:
System Settings > Users & Groups > Add Account
Account type: Standard
This prevents malware from installing system-level components without admin password.
FAQ
Can Macs get viruses?
Yes, but terminology matters. True "viruses" (self-replicating code that modifies other programs) are extremely rare on macOS. However, Macs can and do get:
- Adware (most common)
- Trojans (disguised malicious apps)
- Spyware (data-stealing software)
- Ransomware (rare but increasing)
macOS's Unix foundation, Gatekeeper, XProtect, and sandboxing make it more resistant than Windows, but no system is immune.
Do I need antivirus software on Mac?
For most users: No. macOS includes robust built-in protection:
- XProtect: Anti-malware scanning
- MRT: Malware Removal Tool
- Gatekeeper: Verifies app signatures
- Sandboxing: Isolates App Store apps
- Notarization: Developer verification
Consider third-party antivirus if:
- You regularly download from untrusted sources
- You open email attachments frequently
- You need compliance with corporate policies
- You want real-time web protection
- You share files with Windows users
How do I know if malware removal was successful?
Verification checklist:
# 1. Check Activity Monitor
# No suspicious processes with high CPU usage
# 2. Verify no unexpected network activity
sudo lsof -i -P | grep ESTABLISHED
# 3. Check Launch Agents/Daemons are clean
ls ~/Library/LaunchAgents/
ls /Library/LaunchAgents/
# 4. Browser behavior is normal
# No redirects, no unwanted ads, correct homepage
# 5. System performance restored
# Normal CPU/memory usage, battery life improved
# 6. Security features enabled
spctl --status # Should show "enabled"
csrutil status # Should show "enabled"
Monitor for 1-2 weeks. If symptoms return, deeper infection may exist.
What is the safest way to download apps?
Priority order:
Mac App Store (safest)
- All apps reviewed by Apple
- Sandboxed (limited system access)
- Automatic updates
Developer's Official Website
- Verify URL carefully (https://www.adobe.com, not adobe-downloads.com)
- Check for Apple Developer ID signature
- Download direct, not through download managers
Reputable Third-Party Sources
- GitHub (for open source)
- MacUpdate, Download.com (with caution)
- Always verify checksums if provided
Never:
- Torrent sites
- Warez/"cracked" software sites
- Random forums or file-sharing sites
- Download managers or "installers" for free software
Can I get malware from email?
Rarely from just opening an email, but yes from:
Email attachments
- Especially: .dmg, .pkg, .zip, .js, .app
- Office documents with macros (requires enabling)
- Never open unexpected attachments
Links in emails
- Phishing sites that steal credentials
- Drive-by downloads (rare on macOS)
- Always verify sender before clicking
HTML emails
- Can contain tracking pixels (privacy concern)
- Can be spoofed to look legitimate
Protection:
- Use Mail's "Load Remote Content" setting (off by default for unknown senders)
- Hover over links before clicking
- Verify sender email address carefully
- When in doubt, contact sender through separate means
How often should I scan for malware?
Built-in protection runs automatically:
- XProtect scans downloads immediately
- MRT runs daily in background
- No manual scanning needed
Manual checks recommended:
- Monthly: Review Activity Monitor for suspicious processes
- Quarterly: Audit Login Items and LaunchAgents
- After risky activity: Downloaded from untrusted source, opened suspicious email
- When experiencing symptoms: Slowdowns, pop-ups, unusual behavior
If using third-party antivirus:
- Quick scan: Weekly
- Full scan: Monthly
What should I do if I paid a ransom?
If you've already paid:
Contact your bank/credit card immediately
- Report fraudulent charge
- Request chargeback
- Cancel card and request new one
Do NOT expect file recovery
- Most ransomware operators don't decrypt after payment
- Payment encourages more attacks
Report to authorities
- FBI's IC3: https://www.ic3.gov
- Local law enforcement
- Apple (via Apple Security)
Document everything
- Screenshots of ransom message
- Payment transaction details
- All communications
Restore from backups
- If you have Time Machine or cloud backups
- Verify backups are clean before restoring
Prevention is critical: Regular backups make ransomware ineffective.
Can malware survive a macOS reinstall?
Usually no, but with caveats:
Clean macOS reinstall removes:
- All user-installed applications
- User data and malware in user folders
- System-level malware (if you erase the disk first)
Potential survival scenarios:
If you restore from infected backup
- Malware reinstalls with your data
- Always verify backups are clean
EFI/Firmware malware (extremely rare)
- Persists in firmware, below OS level
- Requires firmware update or Apple service
- No confirmed cases on Apple Silicon Macs
If you migrate data without erasing
- "Upgrade install" may preserve malware
- Always choose "Erase and Install" for infected systems
Proper clean install procedure:
- Boot to Recovery Mode
- Use Disk Utility to Erase the disk (APFS encrypted)
- Reinstall macOS
- Manually copy only personal files (not apps)
- Reinstall apps fresh from trusted sources
Is my data stolen if I had spyware?
Assume yes, and take action:
Change all passwords immediately
- Use a different, uninfected device
- Start with Apple ID, email, banking
- Enable 2FA everywhere possible
Monitor accounts for fraud
- Bank statements
- Credit report (free annual at annualcreditreport.com)
- Unusual account activity
Review what was accessible
- Documents in ~/Documents, ~/Downloads
- Browser passwords (if not using Keychain)
- Email content
- Screenshots/webcam (if spyware had permissions)
Consider fraud alert or credit freeze
- If sensitive data was accessible
- Contact credit bureaus
Notify affected parties
- If business data was compromised
- Legal obligations may apply (GDPR, etc.)
Spyware capabilities depend on permissions granted. macOS permission system limits damage if you didn't grant Full Disk Access.
Can I trust "free" malware removal tools?
Be very cautious. Many "free" Mac cleaners are actually malware or scareware themselves.
Avoid:
- MacKeeper (aggressive marketing, questionable practices)
- Advanced Mac Cleaner (actual malware)
- Mac Auto Fixer (scareware)
- Any software that "scans" before you download
- Pop-up ads claiming your Mac is infected
Trustworthy options:
| Tool | Type | Cost | Recommendation |
|---|---|---|---|
| Built-in Tools | Included with macOS | Free | ✅ Try first |
| Malwarebytes for Mac | Anti-malware | Free/Premium | ✅ Trusted |
| KnockKnock | LaunchAgent scanner | Free | ✅ Good for detection |
| BlockBlock | Persistence monitoring | Free | ✅ Prevention tool |
Red flags for fake cleaners:
- Claims to find 100+ issues in first scan
- Requires payment to "fix" issues
- Downloaded from pop-up ad
- Aggressive scare tactics
- Requests admin password immediately
Always download from developer's official website, never from ads.
Conclusion
Removing malware from macOS requires methodical investigation and careful removal of all malicious components. While macOS includes strong built-in protections, user vigilance remains the best defense. By understanding the signs of infection, using Safe Boot and Activity Monitor, manually removing malicious files, and implementing the prevention practices outlined in this guide, you can keep your Mac secure in 2026 and beyond.
Remember:
- ✅ Keep macOS and apps updated
- ✅ Only download from trusted sources
- ✅ Be skeptical of urgent security warnings
- ✅ Use built-in tools before third-party software
- ✅ Maintain regular backups
- ✅ Review permissions and login items periodically
If you're facing a persistent infection that manual removal can't solve, consider consulting with Apple Support or a certified Mac technician. Prevention through safe computing habits is far easier than remediation.