Skip to content

Protect MacOS Against Keyloggers & Ransomware

While MacOS computers have been spared from some of the most famous malware attacks, there is no shortage of malicious programs written for them. Keep your computer safe from some of the most common types of malware with two free tools.

Table of Contents

Malware for macOS

There are many ways a keylogger or malware can end up on your MacOS system. It can happen from an infected file, a hacker with a USB Rubber Ducky, or, more likely, a jealous spouse or overprotective family member trying to monitor your actions. Ensuring your communications aren’t being intercepted by someone is a concern for anyone who values their privacy, but how much malware is really out there for MacOS?

Patrick Wardle, an ex-NSA hacker who creates MacOS security tools, studies malware written for Apple devices. On his website, Patrick hosts live samples of MacOS malware for researchers to study, and the variety of malware discovered in the wild is shocking. A simple search for keyloggers finds five separate kinds of keylogger malware for MacOS devices.

Mac Malware

That presents a challenge: how do we defend against all of these different kinds of malware if even keyloggers come in five different flavors? Wardle’s answer is to search for the behavior of malicious programs like keyloggers rather than just searching for programs themselves.

For example, a keylogger taps into the stream of events from our keyboard, allowing an attacker to intercept every key the victim types. Seeing each key typed will enable them to learn account passwords, intercept communications, and more. But, to truly be effective, these programs must run as soon as we login to our computer. Meaning malicious programs will usually be installed persistently so that the victim doesn’t need to open the malicious file more than once.

ReiKey & KnockKnock Can Detect New Types of Malware

First, ReiKey allows us to search for one of the most essential characteristics of a keylogger: programs that have tapped into our keyboard stream. Looking for keyboard stream access will alert us to any keyloggers installed on our system, not just those recognized by an antivirus.

Additionally, because a keylogger will also be installed persistently, we can discover it with another free tool called KnockKnock. When you run KnockKock, it breaks down persistently installed programs into easy to understand categories. These will include types of programs that malware will typically take advantage of to run persistently: browser extensions, launch items, kernel extensions, and plugins.


After scanning your system, KnockKnock will identify each persistently installed item and check to see if it’s been flagged in VirusTotal.


If a malicious program is lurking on your system, you’ll identify it by clicking on the “Info” icon to dig further into the details. If you’ve discovered files that are flagged by VirusTotal and look suspicious, this is a strong indication that your system is compromised by malware, adware, or other malicious and unwanted programs.

What You’ll Need

To use KnockKnock and ReiKey, you’ll need an up-to-date MacOS system to install it on. You’ll also need an internet connection and browser to download the installer programs.

Step 1: Download Tools from

First, navigate to the product page for ReiKey on, and locate the download link under the ReiKey icon on the top left of the page.


Download the installer and unzip. Double click on the “ReiKey” file to launch the installer program.

Step 2: Install ReiKey

When the installer opens, simply click the “Install” button to install ReiKey on your MacOS system.

ReiKey v1.4.1

As soon as the installation is complete, you can click “next” to close out of the installer. You should now have a ReiKey icon in your task bar, allowing you to access the app’s preferences.

Install finished

Click the ReiKey icon in the task bar, and then click the “Preferences” option. There you can access the configuration options, allowing you to set whether to run the program at login, run with an icon in the status bar, and whether to ignore Apple’s programs when scanning.

General options

When I ran a Python keylogger, I got the following alert on my device.

Keylogger detected

Step 3: Scan for Keyloggers

Now that ReiKey is installed and configured let’s run a scan.

Click the ReiKey icon in the status bar again, and this time click the “Scan” option. A window will pop up with the scan results, showing if any programs are tapping into our keyboard.

Scan results

Here, we can see a negative result. If you see something here, it means some program is listening in on your every keystroke.

Step 4: Install KnockKnock

Next, we’ll install KnockKnock to look for persistent malware. To do this, navigate to the page for KnockKnock. Locate the download icon for the app on the top left.

Once KnockKnock is downloaded, you can run it directly without needing to run an installer.

Step 5: Scan Your MacOS System

Run the “” file you downloaded, and the following window should open. To begin, click the arrow icon to initiate a scan. The scanning process will require you to grant the app permissions to access various folders and programs if you’re running the latest version of MacOS, Catalina.

After scanning the files in your system, a list of persistently installed programs will appear. Many things might be installed persistently that aren’t malicious, so check each result to see if you recognize the program. If you have, for example, browser extensions you don’t use or recognize, it might be a good idea to remove them.

We can also identify programs with suspicious qualities. Here, we see that a persistently installed script is unsigned, as revealed by the unlocked icon.

If we want to take a closer look at this, we can click the “Info” icon to reveal more details.

Step 6: Check Suspicious Persistent Items

If we want to take a closer look at a file, we can do so by clicking the VirusTotal score. The score will reveal the detection ratio and a link to the report. If we want to submit the file again, click “rescan” to send it to VirusTotal again.

Resending will give you access to a detailed report. Here, we see the detection report for the previously flagged unsigned “Tor” program we found.

Clean file

It looks like this file isn’t malicious, but if it were, this is exactly how we would discover and test it.

Keyloggers & Persistent Malware Can Be a Serious Problem

The average MacOS user may struggle to identify malware on their computer. Thanks to ReiKey and KnockKnock, badly-behaving software can be detected as soon as it is installed. If you’re worried about a partner installing a keylogger, an employer bugging your computer, or unwanted adware hanging around and consuming memory, these tools make it easy to keep your MacOS system free from spyware and persistent malware.

I hope you enjoyed this guide for detecting malware on your MacOS computer with ReiKey and KnockKnock!
You might be interested in reading these too: