The closed source FireEye monitor Footnote 3 use a kernel extension which is resistant to anti-analysis techniques, but requires human intervention. Cuckoo sandbox does not support anti-analysis mitigation and human interaction under the macOS environment. For example, the open source Mac-sandbox is vulnerable to anti-analysis techniques such as Dylib name verification. There exist tools which support malware analysis of Windows, Linux or Android applications, while, investigation of macOS malware and development of tools supporting monitoring their behavior is still limited in functionalities or anti-analysis resistance, or both. Footnote 1 In 2016, Mac malware grew 744% with around 460,000 instances detected, says McAfee report and increases 270% between 20 (Table 1). Mac devices saw more malware attacks in 2015 than the past five years combined, according to a cyber-security report from the Bit9 and Carbon Black Threat Research team. In 2014, the first known ransomware appeared, and other ransomware has been discovered as Software-as-a-Service (SaSS), where malware is available as requests.
Contrary to popular belief, the Mac ecosystem is not unaffected by malware.
