Malware on your Mac? Don’t expect AppleCare to help you remove it

Fake anti-virus on the MacZDNet writer Ed Bott has today published a fascinating conversation with an AppleCare support rep on the subject of Mac malware.

For reasons which will become obvious when you read the interview, the Apple support rep has chosen to remain anonymous. Chances are that if he hadn’t kept his identity secret that he would be thrown out of the company pretty quickly.

According to Bott’s source at Apple, AppleCare’s call volume is “4-5 times higher than normal” and the overwhelming majority of calls come from Apple customers who have been hit by the current spate of fake anti-virus attacks on the Mac OS X platform.


Mac Security fake anti-virus. Click for a larger version

Sign up to our free newsletter.
Security news, advice, and tips.

The Mac Defender fake anti-virus attack, and its variously named variants, are becoming common problems it seems:

It started with one call a day two weeks ago, now it’s every other call. It’s getting worse. And quick.

Perhaps most astonishingly, the interview reveals that Apple’s official policy is that representatives are “not supposed to help customers remove malware from their computer.”

The reason for the rule, they say, is that even though Mac Defender is easy to remove, we can't set the expectation to customers that we will be able to remove all malware in the future. That's what antivirus is for.

Although the support rep does admit that he often ignores corporate policy and help customers remove infections, he does acknowledge that this could get him into trouble if it comes to the attention of higher management.

But I can sympathise with the support rep, as it’s hard to justify refusing to help a user with an infected Mac when it is using scare tactics and unsavoury pop-up windows to hoodwink them into handing over their credit card details for a “fix”.

As the AppleCare support rep describes:

Well, I’m sure you’re aware of what Mac Defender pops up on your screen if you don’t buy it. Last call i got before the weekend was a mother screaming at her kids to get out of the room because she didn’t want them seeing the images. So, panicking, yes, I’d say that would be the situation usually. I had a teacher call about Mac Defender last week.

Typical website displayed to users who refuse to pay after the fake anti-virus attack

You can read the full interview on the ZDNet website.

Here’s a video where we caught one of the fake anti-virus attacks in action:

[youtube=http://www.youtube.com/v/http://www.youtube.com/watch?v=9Xna558F_m8&w=480&h=390&rel=0] (Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

Sophos detects the latest Mac malware as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our protection.

If you’re not a Sophos customer, but have a Mac at home, you can still protect your Mac right now.Download our free Mac anti-virus. It’s automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.