Malware on the Mac "worse than iOS"
AdLoad, one of the second-stage payloads delivered by WizardUpdate on compromised Macs, also hijacks search engine results and injects advertisements into web pages for monetary gain using a Man-in-The-Middle (MiTM) web proxy
It also gains persistence by adding LaunchAgents and LaunchDaemons and, in some cases, user cronjobs scheduled to run every two and a half hours.
While monitoring AdLoad campaigns active since November 2020, when WizardUpdate was also first spotted, SentinelOne threat researcher Phil Stokes
found hundreds of samples, roughly 150 of them unique and undetected by Apple's built-in antivirus.
Many of the samples detected by Stokes were also
signed with valid Apple-issued Developer ID certificates, while others were notarized to run under default
Gatekeeper settings.
Although both WizardUpdate and AdLoad now only deploy adware and bundleware as secondary payloads, they can switch at any time to more dangerous malware such as wipers or ransomware.
"Today, we have a level of malware on the Mac that we don't find acceptable and that is much worse than iOS,"
said Craig Federighi, Apple's head of software, in May 2021 under oath while testifying in the Epic Games vs. Apple trial.