AV-Comparatives - Mac Security Test & Review May 2026

[harlan4096]

Introduction

macOS has long enjoyed a reputation for robust security and is often seen as a “hardened” alternative to Windows. Although malware targeting macOS remains far less common than on Windows and Android, there have still been numerous real-world instances (https://www.macworld.com/article/672879/...flaws.html). In fact, attackers no longer regard Macs as secondary targets (https://www.macworld.com/article/670537/...virus.html, https://objective-see.org/blog/blog_0x84.html). In 2023 and 2024, a surge of sophisticated information-stealers, most notably Atomic Stealer (AMOS) and its forks such as Odyssey (formerly Poseidon), CloudChat, and Shamos, dominated new macOS threats. These cloud-controlled services harvest browser cookies, saved passwords, Keychain data, cryptocurrency wallet credentials, and even extract logins from popular password managers, VPN configurations, and FTP clients. By late 2025, additional stealer families had emerged, including Phexia, DigitStealer, and MacSync Stealer. The latter is notable for being distributed via signed and notarised executables to bypass Gatekeeper scrutiny. Malware in this category is also becoming increasingly modular, with stealers and backdoor components bundled together to enable persistent access rather than one-off data theft.

Distribution tactics have evolved accordingly, with threat actors now relying more on targeted malvertising campaigns and social-engineering schemes rather than user-installed adware bundles. Examples include cloned download sites offering “popular” Mac apps that instead serve up malicious disk images, deceptive Google ads, fake utilities (e.g., video-chat tools, VPN clients), trojanised installers, phishing emails embedding PDF-masquerading apps, and ClickFix-style attacks, which convince users into copy-pasting malicious commands directly into Terminal (https://www.microsoft.com/en-us/security...ostealers/), bypassing Gatekeeper entirely. Consequently, both everyday users and enterprises must supplement basic vigilance with multi-layered defences: modern endpoint protection with real-time malware scanning, DNS and web filtering to block malicious ads, and EDR solutions to detect abnormal system behaviours before data is lost.

Full Report