Why AMOS matters now
TechRadar highlighted the continued rise of AMOS, also known as Atomic macOS Stealer, as a mainstream Mac threat on May 24, 2026. The practical takeaway is simple: Mac malware no longer depends on obscure exploits. It spreads through fake installers, cracked apps, sponsored-search traps, malicious browser prompts, and social engineering that persuades users to enter a password or approve a profile.
AMOS is dangerous because it targets the things that make a Mac user financially exposed: browser cookies, saved passwords, crypto wallets, autofill data, files, and account sessions. If a thief gets a valid session cookie, changing a password later may not immediately end every active login. That is why the correct response combines cleanup, password rotation, MFA review, and session revocation.
Emergency AMOS cleanup checklist
- Disconnect from suspicious networks and stop using the affected browser for banking until cleanup is complete.
- Remove recently installed apps, profiles, login items, and unknown browser extensions.
- Run a reputable Mac malware scan and a second-opinion scan if credentials or wallets were exposed.
- From a clean device, change passwords for email, Apple ID, banking, password manager, and crypto accounts.
- Revoke active sessions in Google, Microsoft, Apple, social, exchange, and password-manager dashboards.
- Enable phishing-resistant MFA or passkeys where available.
How to choose protection for Mac stealer malware
Prioritize web protection, malicious download blocking, credential-leak alerts, and simple removal over cosmetic “system optimizer” features. A Mac security suite should catch fake update pages, warn on risky installers, and explain permissions in plain English. For households, the best plan is usually a bundle that protects Macs, iPhones, Windows PCs, and browsers together.
Related Omellody guides: Best Antivirus for Mac, Best Malware Removal Tools, Best Password Managers, and Best VPN Services.
Detailed response plan for households and small teams
Start by separating containment from recovery. Containment means stopping the thief from collecting more data. Recovery means rebuilding trust in accounts, devices, and payment methods. Many Mac users make the mistake of changing every password from the same browser that may still be compromised. Use a second clean device, such as an iPhone with updated iOS or another computer that was not used to download the suspicious installer, for account recovery.
For households, write down the order of accounts that matter most. Primary email comes first because it can reset nearly everything else. Apple ID comes next because it controls device location, iCloud Keychain, app purchases, photos, and account recovery. Banking, brokerage, crypto exchange, and tax accounts come before low-value shopping logins. If your browser stored card details, monitor card transactions and consider replacing the card. If you reused passwords, assume every reused account is exposed.
For small teams, treat an AMOS infection like a credential incident rather than a simple malware cleanup. Review GitHub, cloud dashboards, analytics tools, ad accounts, CRM exports, and password-manager sharing logs. Revoke personal access tokens, rotate API keys, and check whether any SSH keys or browser sessions were active on the infected Mac. If the Mac had admin access to production systems, document the timeline and preserve enough logs for review before wiping the device.
What to look for on the Mac
AMOS-style campaigns frequently rely on trust abuse. Users may see a polished landing page, a familiar brand name, a fake video meeting tool, a fake browser update, a cracked creative app, or a sponsored result that looks legitimate. After installation, the attacker may ask for the Mac password under the appearance of a normal helper tool. That password prompt is the moment the campaign becomes dangerous, because it can unlock local data and allow deeper collection.
Check Login Items, LaunchAgents, LaunchDaemons, Profiles, browser extensions, notification permissions, and recently modified applications. Look for unfamiliar names, misspellings of known tools, or apps installed around the time the issue started. Review Downloads and disk images. Delete suspicious installers after preserving a note of the filename and source URL. If you use Chrome profiles for work and personal browsing, inspect both; stealers do not care which profile contains the valuable session.
Browser cleanup matters as much as app cleanup. Remove extensions you do not actively use, reset site notification permissions, clear suspicious search engines, and review saved payment methods. Then force sign-out from major services. Google, Microsoft, Apple, Meta, GitHub, Slack, Discord, Stripe, PayPal, Amazon, and crypto exchanges all provide session or device pages. Use them. A password change without session revocation leaves a gap.
Prevention settings that reduce repeat risk
Keep Gatekeeper enabled, avoid cracked software, and do not install tools from sponsored results unless the domain is verified carefully. Use a password manager that can generate unique passwords and warn about reused credentials. Enable passkeys for accounts that support them. Passkeys reduce the value of stolen passwords and make phishing harder, although they do not replace the need to secure browser sessions.
Use separate browser profiles for high-risk browsing and sensitive work. A profile used for testing unknown tools should not hold banking sessions or admin dashboards. Developers should store secrets in a vault, not in shell history, plain text files, or browser notes. Families should create standard user accounts for children and keep admin credentials separate. If a child installs a fake game mod, the blast radius should not include the parent’s banking browser.
Finally, create a written recovery habit. Know where your password-manager emergency kit is stored, keep backup codes offline, and maintain Time Machine or cloud backups. Backups do not stop infostealers, but they make it easier to wipe and rebuild without panic. The strongest security product is still only one layer. The winning setup combines safer download behavior, browser hygiene, password uniqueness, MFA, and a Mac security tool that blocks the most common traps before they become incidents.
When in doubt, assume the browser is the crime scene. Passwords, cookies, extensions, downloads, and notification permissions all live there, so cleanup should always include browser review rather than only dragging a suspicious app to the Trash.
If the Mac belongs to a business owner, also check ad accounts, affiliate dashboards, analytics, domain registrar, hosting, and email-marketing tools. These accounts are often more valuable to criminals than the laptop itself because they can be used for fraud, malware distribution, or password resets across the rest of the company.
Recommended products
Bitdefender Total Security 9.6/10
Best for: Mac malware, phishing, and low-friction family protection
Price: Often from $39.99 first year
- Excellent web protection
- Light Mac app
- Covers mixed-device households
- VPN limits vary by plan
- Renewal price can jump
Norton 360 Deluxe 9.3/10
Best for: Families that want antivirus, VPN, and identity extras
Price: Often from $49.99 first year
- Broad device coverage
- Useful VPN and dark web alerts
- Strong support ecosystem
- Busy dashboard
- Renewal pricing needs calendar reminder
Intego Mac Internet Security 9.1/10
Best for: Mac-first users who want native-style controls
Price: Often from $19.99 first year
- Built for macOS
- Strong firewall controls
- Good for Mac cleanup workflows
- Less useful for Windows devices
- Fewer identity extras
Malwarebytes Premium 8.8/10
Best for: AMOS cleanup companion and adware removal
Price: Often from $44.99/year
- Simple removal workflow
- Good second opinion scanner
- Low learning curve
- Fewer suite features
- Not the best family bundle
Surfshark One 8.7/10
Best for: Users who want VPN plus lightweight antivirus
Price: Often from $2.49/mo on long plans
- Bundles VPN and AV
- Unlimited devices for VPN
- Good value on long plans
- Antivirus features are simpler
- Best price requires long commitment
Quick comparison
| Product | Score | Best for | Typical price |
|---|---|---|---|
| Bitdefender Total Security | 9.6/10 | Mac malware, phishing, and low-friction family protection | Often from $39.99 first year |
| Norton 360 Deluxe | 9.3/10 | Families that want antivirus, VPN, and identity extras | Often from $49.99 first year |
| Intego Mac Internet Security | 9.1/10 | Mac-first users who want native-style controls | Often from $19.99 first year |
| Malwarebytes Premium | 8.8/10 | AMOS cleanup companion and adware removal | Often from $44.99/year |
| Surfshark One | 8.7/10 | Users who want VPN plus lightweight antivirus | Often from $2.49/mo on long plans |
FAQ
What is AMOS malware on Mac?
AMOS, or Atomic macOS Stealer, is an infostealer that targets passwords, cookies, browser data, crypto wallets, and files on macOS.
Can antivirus remove AMOS?
A good Mac antivirus can detect and remove many AMOS variants, but you still need to rotate passwords and revoke active sessions from a clean device.
How does AMOS infect Macs?
Common paths include fake installers, cracked apps, malicious ads, fake browser updates, and social engineering that tricks users into granting permissions.
Should I reset my Mac after AMOS?
If banking, crypto, or primary email credentials were exposed, a clean reinstall is worth considering after backups are checked for suspicious installers.
What should I change first after a stealer infection?
Start with email, Apple ID, password manager, banking, and crypto accounts because those can be used to reset other logins.