macOS crypto wallet malware, should users really be worried?

A new strain of macOS-specific malware targeting crypto wallets is causing alarm in the media. However, security analyst Patrick Wardle says the threat has been exaggerated and that the average Mac user need not worry.

Check Point researchers say a new strain of macOS malware, dubbed Banshee, dodged antivirus systems for more than two months by using encryption techniques borrowed from Apple’s security tools.

Media outlets soon swept up the story. The New York Post quoted Check Point’s findings, warning that more than 100 million could be victims, while Forbes warned of “real-and-present dangers.”

According to a decrypt report, an Apple security researcher does not agree with the alarmist tone.

This needs some more context as the media is running wild with this, blowing it 1000% of out of proportion 🙄

The original post from @_cpresearch_ does a good job largely sticking to technical details: https://t.co/vgfzBztOti pic.twitter.com/hYBTskphZb

— Patrick Wardle (@patrickwardle) January 12, 2025

The crypto macOS malware issue is exaggerated 

“There’s really nothing special about this specific sample,” Wardle said in an interview via Signal, speaking about Banshee, a “stealer-as-a-service” that reportedly stole crypto wallets and browser credentials.

The threat targeted software-based cryptocurrency wallets, so crypto users are concerned about the malware. However, Wardle thinks its ability and the extent of its impact have been overstated.

The trick worked because its Apple XProtect antivirus string encryption allowed it to run undetected from late September through November 2024, bypassing security measures.

However, when its source code leaked on underground forums, the creators shut the operation down.

Wardle asks users to focus on general security best practices 

According to Wardle, the malware employed sophisticated evasion techniques but its core theft capabilities were quite basic.

He said, “XOR is the most basic type of obfuscation,” adding Apple and Banshee both use it. Therefore, “The fact that Banshee used the same approach as Apple’s is irrelevant”

Wardle also shared that the latest macOS updates have already blocked this type of malware. He said that by default, macOS makes it extremely difficult for most malware to work, so “there’s essentially no risk for the average Mac user.”

However, even as he admitted to more advanced threats like zero-day exploits, Wardle asked users to focus on general security best practices rather than specific malware. “There’s always a tradeoff between security and usability,” he said, pointing out Apple’s attempts to find balance.

The real risks could be miscommunicated. The case shows how media coverage can obscure technical details, as Wardle highlighted. “There are sophisticated malware out there […] this isn’t one of them,” he said.