Skip to content
Naked Security Naked Security

Google VirusTotal – now with autoanalysis of OS X malware

Google just announced that its virus classification and auto-analysis service, VirusTotal, is now officially interested in OS X malware.

Back in April 2015, at the RSA conference, Google did a strange thing.

The makers of Android as good as denied the existence Android malware by re-defining it into a category called PHAs, or Potentially Harmful Applications.

In any case, said Google, PHAs were hardly worth worrying about because “less than 1% of devices have a PHA installed.” [Shouldn’t that be “fewer”?Ed.]

Of course, 1% of of more than 1 billion devices still adds up to more than 10,000,000 PHA-infected Androids in the wild at any time.

And with PHAs lumped into subcategories including spyware, backdoor, call_fraud, sms_fraud, phishing, DDoS and ransomware

…it certainly sounds as though most of us would be happy with the word malware as shorthand for Potentially Harmful Application. (Ironically, Google even lists generic_malware as a named subcategory of PHAs.)

In fact, Google probably agrees with us, because its own online malware processing service, VirusTotal, will accept Android malware samples.

VirusTotal attempts to analyse and classify malware automatically by scanning incoming samples with a battery of security products, which helps to match up which products use what names.

The service also runs certain sample types in a controlled research environment often called a sandbox.

If a suspicious new file is spotted that isn’t yet known to the security research community, samples of the file can quickly be distributed to those with a need to know.

Malware sandboxing isn’t for the faint-hearted. Don’t be tempted to get started in anti-virus research simply by grabbing some malware samples and running them in a virtual machine (VM) on a spare computer at home to see what happens. If you aren’t careful, the malware could end up attacking other people’s networks. For example, if you deliberately run spam zombie malware in a VM to monitor what it does, you don’t want any of its spam to escape and reach innocent users. If that happens, you become part of the problem, not the solution!

Loosely speaking, the malware types that VirusTotal itself knows how to analyse are those most likely to be encountered in real life, and fretted about, by users around the world.

Automatic processing of Windows programs (known in the trade as PE files, short for Portable Execution format, even though they’re Windows-specific) was added to Virus Total in 2012, and of Android programs in 2013.

And now – don’t shoot the messenger – Google has added OS X apps to VirusTotal’s capabilities.

You can upload:

  • DMGs. (Mac disk images, commonly used for distributing Mac apps.)
  • Mach-O files. (Mach-O is the OS X equivalent of a PE file – the native executable binary format.)
  • A zipped-up Mac app. (Most officially-installed Mac apps exist as a self-contained directory tree stored in /Applications.)

We’ll be quite frank, and say that your risk of malware infection on a OS X is very much lower than on a Windows or Linux computer.

Infected Linux servers are depressingly common these days, and the main motivation that crooks have for infecting them is to pass malware on in bulk to Windows users.


Malware on Linux – When Penguins Attack

(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

So, with Windows and Linux locked in an unhealthy “cybercrime symbiosis,” it’s easy to assume that the risk of OS X malware, or of Mac-specific phishing, or any other Apple-directed cybercriminality, is low enough to be written off as zero.

We think that’s a dangerous assumption, and we’re not just saying that because we have Mac threat protection software to sell you.

(Actually, for home use, Sophos Anti-Virus for Mac is 100% free, but that’s still not why we’re saying that Mac malware is worth taking seriously.)

It’s the other way around: we think Mac malware is worth taking seriously, and that’s why we have Sophos Anti-Virus for Mac.

But don’t ask us if there really is Mac malware out there…ask Google :-)


I’ve been using VirusTotal for years… But how did I not realize it was run by Google?!


Your use of the interrobang [qv] (?!) suggests that’s a rhetorical question.

According to the website, “VirusTotal is developed and maintained by a team of devoted engineers that act with complete independence of any ICT security game player.” (ICT is the Public Service acronym for what everyone else calls IT.) If you are a wholly-owned subsidiary, you can’t be *completely* independent of your owner – I suspect the SEC would have a problem in such a case…so perhaps this statement is saying, “Google is entirely disconnected from IT security”?!

(You can read my interrobang as a sort of quizzical smiley :-)


Here’s the blog post from VirusTotal when they were acquired by Google (back in 2012):


Great podcast! Another thing to mention, when you’re talking about servers, would be a good Web Application Firewall. We use mod_security on Apache, with automatic rule updates from Atomic. This is on Plesk running on Ubuntu.


Thanks for yur kind words.

As for the product advice, you may be asking the wrong person…I’d recommend the web application firewall in one of the Sophos secure gateway products :-)


You should go back and read all of the Android security document. Your calculated 10,000,000 figure assumes that every device installs software from sources other than Google Play. Most of the 1 billion devices are configured to disallow download from sources other than Google Play.


All I can find is that PHAs are “below 0.15% for Google Play users,” to compare with 1% overall. I couldn’t find any evidence to support your assertion that “most of the 1 billion devices” are set to allow apps from Google Play only. Anecdotal evidence from my part of the world, where Android seems to be the market leader by a country mile, is that most devices are set to allow apps from anywhere. I suspect there are other places where that’s true too, including some of Android’s biggest markets.

From that 0.15% figure I reckon you have to accept 1,500,000 infected devices at any moment as an absolute minimum…but likely a lot more.

How about “up to 10,000,000” :-)


“Less than 1%” is correct. There is only one percentage mentioned. Fewer than 2 percentages were mentioned in the sentence.


“Less than 1% of X” is a plural count (unless X is 100 :-) because “1% of X” is short for “X multiplied by 0.01”.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!