Black Hat Talk Reveals macOS Malware Insights from 89,000 Binary Samples

The Black Hat talk titled 'Silence on Mac OS: What More Than 80,000 Binary Samples Reveal About the Mac OS Ecosystem' challenges the misconception that macOS is malware-free, presenting research based on 89,000 binary samples (44,000 malicious, 44,000 undetected, and 25,000 high-confidence benign). Researchers Obina Igbe and Godwin developed Catalina, an open-source Golang tool for cross-platform macOS malware analysis, extracting over 100 features—such as entitlements, certificate details, and opcode frequencies—without requiring macOS hardware. The dataset, Mallet, addresses the lack of large-scale macOS malware research resources, revealing that 93% of macOS malware is unsigned and highlighting gaps like a 721-day dwell time for DPRK-signed malware before certificate revocation. Key macOS security mechanisms discussed include Gatekeeper, XProtect, AMFI (entitlement enforcement), TCC (user consent), and SIP (system integrity protection), with findings showing malware increasingly targets credentials via keychain and browser cookies. The talk also introduced Santa, an open-source framework for binary/file authorization and rule-based prevention, and noted that 23-24% of malware uses persistence techniques like launch agents. Observations include the rise of stealers, the inefficacy of EDR/AV solutions, and the need for proactive defenses like MDM-enforced security controls. The research underscores macOS’s growing enterprise and developer adoption (30-32% of developers per Stack Overflow) as a driver for improved security focus.