Introduction
The “Macs don’t get viruses” belief is one of the most dangerous myths in consumer tech. It was never entirely true, and in 2025, it’s dangerously outdated. According to Jamf’s Security 360 Annual Trends Report, trojans now account for 50% of all malware affecting Macs — up over 33% since 2024 — and 44% of devices using Jamf had malicious network traffic detected.
9to5Mac Infostealers, which quietly steal passwords, browser cookies, and cryptocurrency wallet data, have become a serious and growing threat for everyday Mac owners, with one variant alone accounting for 70% of known infostealer detections on Mac by the end of 2024.
Knowing how to check for malware on Mac is no longer optional knowledge — it’s basic digital hygiene. This guide walks through the warning signs, the built-in macOS tools, the manual inspection steps, and the trusted third-party options that actually help.
Warning Signs Your Mac May Already Be Infected
Before running any scan or check, knowing what to look for saves time and guides the investigation in the right direction. Most malware is designed to stay quiet, but it always leaves some trace.
Watch for these indicators:
- Unexplained slowdowns: A Mac that suddenly struggles with tasks it handled easily before may have a process running in the background, consuming CPU or memory.
- Browser behavior changes: Search engines switching on their own, unexpected redirects, homepages that changed without your input, or a flood of pop-up ads are classic early signs of adware or a browser hijacker.
- Applications you didn’t install: Malware frequently installs itself with generic names so it doesn’t stand out. Check your Applications or Login Items for any programs that sound strange or aren’t recognized.
- Unusual network activity: A Mac that constantly sends or receives data while idle may be communicating with an external server. This pattern is common in spyware, infostealers, and remote access trojans.
- Security settings that changed on their own: If firewall settings, privacy permissions, or system preferences are modified without your action, malware may be attempting to weaken built-in protections to maintain access.
- Accounts sending strange messages: If contacts report receiving odd emails or social messages from you, an infostealer may have stolen session cookies and be impersonating you from another device.
Any one of these signs warrants a check. Multiple signs together should be treated as urgent.
How to Check for Malware on Mac Using Built-In Tools
macOS ships with several tools that, used together, give a solid picture of what’s actually running on your system. None of them are labeled “malware scanners,” but that’s exactly what you’re using them for when you investigate suspicious behavior.
Step 1: Check Activity Monitor for Suspicious Processes
Activity Monitor is found at Applications > Utilities > Activity Monitor, or launch it instantly using Spotlight (Command + Space) and typing “Activity Monitor.”
Once open, follow this sequence:
- Click the CPU tab and click % CPU to sort processes by their processor usage, highest first.
- Scan down the list looking for processes consuming high resources without a clear purpose. Known legitimate macOS processes —
kernel_task,WindowServer,Finder,coreaudiod— should be familiar. Unknown names warrant investigation. - Click the Memory tab and do the same sort, looking for processes with unusual or generic names claiming large amounts of RAM.
- If you find something potentially malicious, select it, click the X button to quit it, then search its name in Finder to locate and delete any corresponding files. Empty the Trash afterward.
One important caution: don’t quit processes you can’t identify without first searching the name online. Quitting a critical system process by mistake can cause instability. Google the process name before acting.
Step 2: Review Login Items
Most consumer-grade macOS malware persists via login items or background launch mechanisms, Penligent — meaning it relaunches itself every time you start your Mac. Checking this list is one of the highest-value manual checks you can run.
Go to System Settings > General > Login Items. Review the listed entries and remove any apps you didn’t install yourself. Malware often uses Login Items to relaunch itself, so removing unauthorized entries directly disrupts persistence.
Be aware of one limitation: many login items like Launch Daemons and LaunchAgents won’t appear in this system list, so you may need to go further to find them. MacKeeper Advanced users can check these locations manually in Finder:
~/Library/LaunchAgents/Library/LaunchAgents/Library/LaunchDaemons
Any A .plist file in these folders that references an unknown executable is worth investigating.
Step 3: Audit Full Disk Access Permissions
Full Disk Access is a macOS feature that lists all applications with unrestricted access to your system. Threat actors that create harmful trojans, spyware, and keyloggers ultimately aim to gain access to this area — it essentially gives them administrator-level control.
Open System Settings > Privacy & Security > Full Disk Access. Any app listed there that you don’t recognize, didn’t deliberately grant access to, or can’t account for should be removed immediately and investigated.
Step 4: Verify XProtect Is Active and Updated
XProtect is Apple’s built-in malware signature database. It runs automatically in the background and checks apps against known malware definitions whenever they launch. Most users don’t realize it exists because it operates silently.
To confirm XProtect is receiving updates: go to System Settings > General > Software Update, click the information icon next to Automatic Updates, and make sure “Install Security Responses and system files” is activated.
XProtect is effective against known malware families but has real limitations. It cannot detect zero-day threats or recently developed strains that haven’t been added to Apple’s definitions yet. It’s a necessary layer, not a complete solution.
Step 5: Check Your Downloads Folder
Any file downloaded from an unknown or untrusted source can potentially contain malware. If a pop-up ever appeared on a website and automatically downloaded a file without your permission, go to the Downloads folder and delete anything you didn’t download yourself. Empty the Trash afterward.
Trojanized installers — legitimate-looking apps that deliver malware on the side — are one of the most common infection vectors on Mac. Primary delivery methods for macOS malware include malicious ads, fake download sites, and trojanized DMG and PKG files.
How to Check for Malware on Mac Using Third-Party Scanners
Built-in tools catch a lot, but they don’t catch everything. Sophisticated malware is specifically designed to evade manual inspection. Reputable Mac-focused malware scanners add value by detecting threats that manual inspection misses. Independent reviews consistently highlight Malwarebytes, Bitdefender, Intego, and Avast for macOS due to their detection accuracy and update cadence.
Malwarebytes for Mac
Malwarebytes offers a free on-demand scanner that doesn’t require a subscription for a one-time check. It focuses on the most active threat families on Mac, including infostealers like AMOS, browser hijackers, and adware. The interface is straightforward: download, install, run scan, review results. The paid version adds real-time protection that blocks threats before they execute.
Intego VirusBarrier
Intego is one of the oldest and most Mac-specific security vendors in existence. Their scanner focuses exclusively on Apple platforms, which means their threat definitions are kept specifically current for macOS malware families rather than being adapted from a Windows-focused product.
Bitdefender Virus Scanner for Mac
Bitdefender’s free scanner on the Mac App Store is a legitimate option for users who want a second opinion. It’s lightweight, runs without requiring deep system access, and is effective at catching known adware and PUPs (potentially unwanted programs) that clutter systems.
What to Avoid
One thing you shouldn’t do if you think your Mac is infected is Google a description of the problem and install the first result that claims to fix things. A lot of software that claims to repair Macs is actually malware itself, or fake software designed to extract payment.
These apps can look convincing and professional. Kaspersky Stick to tools available through the official Mac App Store or the developer’s official website, with verified reviews.
Running a Malware Check on Mac in Safe Mode
If you have a strong reason to believe your Mac is actively infected, and normal investigation isn’t giving clear results, Safe Mode is the next step.
Safe Mode prevents malware from launching automatically during startup. In Safe Mode, you can check the Activity Monitor, clear Login Items, manually review and remove system files, and run antivirus software. After cleaning up, restart normally to see if the issues persist.
For Apple Silicon Macs (M1, M2, M3, M4):
- Shut down your Mac completely
- Press and hold the power button until you see “Loading startup options.”
- Select your startup disk, hold Shift, and click “Continue in Safe Mode.”
- Log in with your normal credentials
For Intel Macs:
- Restart your Mac
- Immediately press and hold Shift
- Release Shift when the login screen appears
- Log in — you’ll see “Safe Boot” displayed
Once in Safe Mode, run your preferred scanner, check Activity Monitor, review Login Items, and delete anything suspicious. The advantage is that most malware cannot auto-launch in Safe Mode, giving you a cleaner environment to work from.
Checking Your Browser for Malware Traces
Browser-based infections are among the most common Mac threats, and the standard system checks don’t always surface them. A dedicated browser audit is worth running separately.
Safari
Open Safari, go to Settings > Extensions. Review every extension listed. Any extension you don’t recognize, didn’t install, or can’t explain should be removed immediately. Removing unwanted browser extensions is a key step when looking to remove malware from Safari on Mac. Select any suspicious add-on and click Uninstall.
Also check Settings > General and look at your homepage and new tab settings. Malware frequently changes these to redirect traffic.
Chrome and Firefox
The process is similar across browsers. Open the browser, navigate to the extensions or add-ons menu, and remove anything unfamiliar. In Chrome, also check Settings > Search engine to verify your default search hasn’t been changed without your knowledge.
Pros and Cons of Different Checking Methods
Manual built-in tools
- Free, no installation required, gives direct visibility into running processes
- Requires knowledge to interpret results; misses encrypted or deeply hidden malware
Free third-party scanners (Malwarebytes free, Bitdefender free)
- Easy to use, detect known threat families accurately
- On-demand only; no real-time protection unless you upgrade
Paid antivirus subscriptions (Malwarebytes Premium, Intego)
- Real-time protection blocks threats before execution
- Ongoing cost; some products are heavier on system resources
Safe Mode scanning
- Most effective environment for detecting persistent malware
- Inconvenient for routine checks; better used when infection is suspected
How to Prevent Future Infections
Checking for malware matters, but prevention reduces the frequency of those checks significantly.
- Keep macOS updated: Apple releases XProtect definition updates silently through software updates. A system running the latest macOS gets these automatically.
- Download software only from the Mac App Store or official developer websites: Many Mac attacks don’t exploit flaws in the system — they result from users disabling built-in safeguards or being deceived into installing malicious software. AppleInsider
- Never disable Gatekeeper to install unsigned software unless you are certain of the source: That warning dialog exists for a reason.
- Be skeptical of ads promoting software downloads: Atomic macOS Stealer (AMOS) spread via poisoned Google Ads in 2024 — malicious ads targeting Mac users specifically. Intego If a search result or ad is promoting a download, go directly to the developer’s official website instead.
- Use a password manager: Infostealers target saved browser credentials. A dedicated password manager keeps those credentials out of the browser’s storage, where they’re hardest to steal.
The Verdict
Learning how to check for malware on Mac is a skill worth having, and one that doesn’t require expensive software or deep technical expertise. The built-in tools — Activity Monitor, Login Items, Full Disk Access, and XProtect — form a solid first line of investigation that catches a significant portion of what’s out there. Pairing those with a periodic scan from a reputable third-party tool like Malwarebytes closes most remaining gaps.
The threat landscape for Mac users is more active than it’s ever been, driven by infostealers that operate quietly and profitably, trojanized installers disguised as legitimate apps, and malware-as-a-service platforms that lower the technical bar for attackers. None of that should cause panic, but all of it should put the old “Macs are safe” assumption permanently to rest. A Mac that gets checked regularly, updated consistently, and used with a reasonable degree of download caution is a Mac that stays clean.