For a long time, macOS users felt safer from malware than Windows users, partly because macOS has a smaller market share and includes built-in security features. However, that sense of security is fading as more and more malware begins to target macOS. One type of malware making waves is called Atomic macOS Stealer (AMOS), which focuses on stealing sensitive data like passwords, browser cookies, autofill information, and even cryptocurrency wallets.
What is AMOS?
Discovered in April 2023, AMOS is a type of malware specifically designed to steal valuable information from macOS computers. Cybercriminals can either use this stolen data themselves or sell it on underground markets, where there's a high demand. In fact, AMOS has become so popular that the cost to rent it has tripled in just a year—from $1,000 per month in May 2023 to $3,000 per month by May 2024.
AMOS isn’t the only infostealer around—others like MetaStealer and KeySteal exist—but AMOS has stood out because of how widely it's being used and how easy it is to buy through public channels like Telegram.
Apple chip cookie monster: skip the ad
One of the main ways AMOS spreads is through malvertising, where attackers place malicious ads on legitimate websites. These ads trick users into downloading malware by pretending to be popular apps like Slack, Notion, or Todoist. Another technique, called SEO poisoning, pushes fake websites high up in search engine results, making them look trustworthy.
In addition to this, AMOS has been found in social media ads, such as one on X.com (formerly Twitter), which led users to download a fake version of "Clean My Mac X" from a fraudulent website designed to look like the real MacPaw site.
How AMOS Works
Once AMOS is installed, it connects to a command-and-control (C2) server, which is where the stolen data is sent. These C2 panels are password-protected and provide hackers with an interface to monitor and manage the data they've collected. The stolen data is often sold to other criminals on underground markets.
How AMOS Is Evolving
Since its launch, AMOS has become more difficult to detect. Its developers have started using obfuscation techniques to hide the malware’s functions, making it harder for security researchers to study. Newer versions even use a Python-based dropper, a small program that downloads and installs the main malware while avoiding detection.
There are also rumors that an iOS version of AMOS could be in the works. This is particularly concerning as Apple’s future compliance with the European Union’s Digital Markets Act (DMA) will require it to allow alternative app stores. This change could open the door for malware distributors to use the same tactics on iPhones that they currently use on Macs.
Fool the stealer
As AMOS becomes more common, it's important for macOS users to take steps to protect themselves. Here are a few key tips:
Download apps from trusted sources: Only get software from official app stores or well-known, trusted websites. Be cautious of downloading from unfamiliar sites, especially if the offer seems too good to be true.
Watch out for suspicious pop-ups: AMOS often tricks users by asking for system access or passwords. If a pop-up seems suspicious or unexpected, be cautious.
Keep your software updated: Regular updates patch security vulnerabilities that malware like AMOS can exploit.
Use encryption and a master password: Infostealers like AMOS can extract stored browser data. By enabling a master password or using biometric security, you can add extra protection.
Comments