Malware analysis

Malware spotlight: Tarmac

March 3, 2020 by Daniel Dimov


Many people wrongly believe that Mac computers are unable to get viruses. This belief is far from true. nVir, the first virus targeting Macintosh computers, appeared in 1987 and remained active until 1991. Although Macs are traditionally not friendly towards programs coming from unknown developers, they can still be affected by malware.

A new type of virus called Tarmac is currently spreading on Macs all over the world. It successfully passes a Mac’s built-in security measures, such as Xprotect (which does not allow malware to be opened) and Gatekeeper (which allows only the installation of software developed by certified developers). Macs are subject to fewer attacks than computers using Windows likely because criminals create more malware for Windows computers than for Macs.

This article examines Tarmac malware in detail and provides recommendations on how to avoid an infection with it.

What is the modus operandi of Tarmac malware?

Tarmac has been active since January 2019 and targeted mainly users in the United States, Japan, and Italy. It works together with another malware called Shlayer. Shlayer has been the most common malware threat for Mac for about two years. For example, in 2019, one out of ten Kaspersky security solutions for Mac encountered Shlayer.

Tarmac spreads itself through malicious ads. Once a potential victim clicks on one of those malicious ads, he or she will be requested to download a file purporting to contain a Flash player. Interestingly, the file contains a legitimate Apple developer certification. The certification allows the malicious file to pass through the security measures of the targeted Mac.

The certification is not difficult to obtain. Any Apple developer can obtain it for $99. Taha Karim, a security researcher at Confiant, writes: “Signing malware with Apple developer certificates, not only it is easy to do, but became a standard practice for macOS malware developers and that’s one of the reasons why Gatekeeper and XProtect are failing to stop this malware: it is signed.”

Once the victim executes the malicious file, the malware will connect to a central server which is currently offline. This means it is not clear what tasks the central server will assign to infected computers once it becomes online. The central server will likely collect information from the infected computers and possibly install other malware on them.

How to avoid infection with Tarmac

The preventive measures against Tarmac need to include:

  1. Raising information security awareness about the malware
  2. The use of anti-malware solutions

These two types of preventive measures are discussed below.

Raising information security awareness

As discussed above, Tarmac spreads through social engineering attacks such as luring the victims to click on malicious links and open malicious files. Thus, it relies on the human factor which is the most vulnerable element of the cybersecurity system of an organization.

Therefore, organizations willing to avoid infection with Tarmac are advised to provide their staff with comprehensive instructions on how to identify the malicious links through which the malware propagates and how to avoid opening the bogus Flash player that connects the victim’s computer to a central server. The staff of an organization needs to be the last line of each cybersecurity defense and not merely a resource that needs to be protected.

The use of anti-malware solutions

One can find both free and paid anti-malware applications for Mac. For example, Avast Software offers a free anti-malware solution for Mac. It has three main functionalities:

  1. Detecting ransomware, viruses and other threats in real time
  2. Warning the user about unsafe websites and blocking intrusive web trackers
  3. Scanning for Wi-Fi security weaknesses

People who would like to get enhanced information security can use Avast Software’s premium solution. In addition to the three functionalities mentioned above, this provides instant alerts regarding network vulnerabilities and keeping files safe from unwanted changes.

Another software that can be used to protect Macs from malware is Kaspersky Internet Security for Mac. Although it is a paid anti-malware solution, people interested in using it are able to test it with a free trial. The solution has a reputation of not slowing down the systems on which it is installed.


It is widely believed that Mac users earn, on average, more than those who use other devices. This belief incentivizes many people to regard the ownership of a Mac as a status symbol. However, it also motivates criminals to create malware that allows them to illegally benefit from the “wealthy” Mac users.

Tarmac is one such malware. It relies on malvertising (the use of online advertising to spread malware) to propagate itself. Since its command-and-control server is not currently activated, it is not clear what negative consequences the infection with Tarmac would entail. However, the malware certainly has a potential to install file-encrypting ransomware on the infected computers and steal confidential information. This makes it especially dangerous.

Organizations are advised to take measures to avoid an infection with it or, if the malware is already there, eliminate it from their systems as soon as possible as the command and control server can be activated at any time.



  1. New Tarmac Malware Targets MacOS Users, eForensics Magazine
  2. Alert: Mysterious new malware lurking on your Macs, The Spectrum
  3. Hagen, J., “The Contributions of Information Security Culture and Human Relations to the Improvement of Situational Awareness,” Situational Awareness in Computer Network Defense: Principles, Methods and Applications: Principles, Methods and Applications, IGI Global, 2012
  4. Shlayer Trojan attacks one in ten macOS users, Kaspersky
  5. OSX/Shlayer new Shurprise.. unveiling OSX/Tarmac, Taha Karim (Medium)
  6. All about Mac antivirus, Malwarebytes
Posted: March 3, 2020
Daniel Dimov
View Profile

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.