How to detect and remove UpdateAgent malware on Mac

Gone are the days when people were complacent with their Mac’s security. People used to claim that Macs were safe since there were no malware or viruses that could penetrate it. However, things change and technology evolves — that makes Macs susceptible to threats. One sophisticated threat that is now emerging is a Trojan named UpdateAgent.

What is UpdateAgent?

UpdateAgent is a basic malware that first appeared in September 2020 and has been tracked by Microsoft. The original purpose of the malware is to steal information. But this malware has other tricks up its sleeve. As it evolves, UpdateAgent will have the capability to distribute payloads such as adware.

UpdateAgent can impersonate legitimate software and take advantage of Mac functionalities. It also has the power to bypass Apple’s Gatekeeper, which was created to ensure only trusted apps can be used and on Mac devices. This malware can also use existing permissions to get rid of evidence that it would otherwise leave.

Timeline of UpdateAgent

2020: September – December

First appearance of the malware. Its capabilities and powers rely on acquiring basic information. It can only collect certain system information details such as product names and versions.

2021: January – February

The UpdateAgent has developed secondary powers. It now has the capability to use payloads like .dmg files.


The malware has reached its third form. Instead of using payloads like .dmg, it now uses .zip files. It has also learned a new trick where it can bypass Gatekeeper by getting rid of a downloaded file’s “quarantine attribute”. It has also acquired the means with which to create a PLIST file that is added to the LaunchAgent folder.


UpdateAgent further evolves and obtains more capabilities. It can now scan and collect SPHarwaretype and System_profile information.


Another power-up has been achieved by the malware. It can now validate whether a downloaded app is within the database of “Quarantine Events”. It also has the function to use existing user profiles to run commands requiring Sudo access and the ability to modify Sudo list.

How does the UpdateAgent work?

  1. Arrives posing as legitimate software, distributed via drive-by-compromise techniques
  2. Performs recon and collects system information
  3. Leverages existing user privileges to create folders and add permissions
  4. Downloads Adload adware from public cloud infrastructures
  5. Gatekeeper is bypassed by removing quarantine attributes of downloaded files
  6. Modifies and adds PLIST files using PLisBuddy
  7. Adds the modified PLIST to created LaunchAgents and LaunchDaemon folders
  8. Sends collected information
  9. Covers its tracks, getting rid of all traces on the device

How to detect UpdateAgent on Mac?

Look for signs of adware infection:

  • Ads appears in strange places on webpages
  • Frequently visited sites display differently/incorrectly
  • Web search results direct you to sites that you don’t want to visit
  • There’s a sudden change in your web browser startup page

Run a full scan:

Have a mac-focused antivirus or anti-malware tool on your device. Trend Micro has Device Security Pro that offers live antivirus monitoring to protect your Mac from adware, ransomware, spyware and all kinds of malware attacks.

How to avoid UpdateAgent on Mac?

  • Avoid suspicious sites
    Stay away from forums and sites that deal in illegal content and pirated software. If a site asks you to download or install an update for Adobe Flash, it is best avoided.
  • Download from reputable sources
    Only download apps from the App store to ensure that the app is verified. Alternatively, be sure to download directly from the official site of the app developer.
  • Don’t use pirated software
    Never download pirated software or “cracks”, which are not safe. Look for reputable open-source software that is an alternative for the paid version that you wish to have.
  • Update your Mac
    Ensure that you frequently install updates on your Mac device. This will ensure that any possible vulnerabilities will be patched. Stay ahead of the curve!
  • Think before you click
    Make sure to carefully read any text regarding the installing of apps and products. If your Mac provides a warning, listen to it.
Share on social media:

Leave a Reply

Your email address will not be published. Required fields are marked *