How to Check Your Mac for Spyware in 2026

Spyware isn't just a Windows problem anymore. It hasn't been for years, honestly, but 2026 is the year you really can't ignore it on Mac.

The landscape has shifted. We're not just talking about adware that redirects your browser searches. Commercial stalkerware — the kind someone installs to track a partner or employee — has gotten genuinely sophisticated on macOS. And state-level spyware like Pegasus has been documented targeting Mac users since at least 2023. The old "Macs don't get viruses" line was always misleading. Now it's dangerous.

Here's how to actually check if your Mac has spyware on it, using real tools and real file paths. No vague advice.

First: Understand What You're Looking For

Spyware on a Mac isn't one thing. It falls into a few distinct categories, and they behave differently.

Commercial stalkerware — apps like mSpy, FlexiSpy, or Spyrix — are designed to be installed by someone with physical access to your machine. They log keystrokes, capture screenshots, record audio, and send everything to a remote dashboard. They're marketed for "parental monitoring" but frequently used for domestic surveillance.

Nation-state spyware like NSO Group's Pegasus or Intellexa's Predator operates at a completely different level. These exploit zero-day vulnerabilities, can be deployed without any physical access (zero-click), and are designed to evade detection by security researchers, let alone regular users. If a government is targeting you specifically, the advice in this post won't be enough. But it's still worth checking.

Rogue MDM profiles are an underrated vector. A malicious or overly invasive Mobile Device Management profile can give someone remote control over your Mac — installing apps, monitoring activity, restricting features — all silently. You might have one from an old employer and not even know it.

Check for Configuration Profiles

This is the first thing I check on any Mac I'm investigating. It takes 30 seconds.

Go to System Settings > General > Device Management (on Sequoia) or System Settings > Privacy & Security > Profiles (on Sonoma and earlier). If you don't see either of these menu items, that's actually good — it means no profiles are installed.

If you do see profiles listed, read them carefully. A profile from your current employer's IT department is expected. A profile you don't recognize, or one from a company you left two years ago, is a problem.

From Terminal, you can also check:

sudo profiles show -type enrollment

This tells you if your Mac is enrolled in any MDM system. If you see enrollment details and you're not using a company-managed Mac, that's a red flag. Someone may have enrolled your machine to monitor it remotely.

To list all installed profiles:

sudo profiles list

Remove a suspicious profile with:

sudo profiles remove -identifier com.suspicious.profile.id

Replace that identifier with the actual one from the list output. Be careful here — don't remove profiles from your employer if you're on a work machine. That'll set off alarms on their end.

Inspect Launch Agents and Launch Daemons

I've personally seen Macs that were "clean" according to traditional antivirus but had three sketchy LaunchAgents running in the background. Signature-based scanning just misses stuff.

LaunchAgents and LaunchDaemons are plist files that tell macOS to run programs automatically — either at login (agents) or at boot (daemons). Spyware almost always uses one of these for persistence. Without them, the spyware would stop running after a restart.

Check these four directories:

ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/
ls -la /Library/LaunchDaemons/
ls -la /System/Library/LaunchDaemons/

The first three are where third-party software (including malware) installs persistence mechanisms. The last one is Apple's own — you generally shouldn't see anything unusual there unless SIP has been disabled.

For each plist file you don't recognize, open it and look at the ProgramArguments key:

cat ~/Library/LaunchAgents/com.suspicious.plist

You're looking for what binary it runs and where that binary lives. Legitimate software points to executables in /Applications/ or /Library/. Spyware often runs from hidden directories like ~/.hidden/, /var/tmp/, or somewhere buried in ~/Library/Application Support/ with a nondescript name.

Here's the thing though — some legitimate software has weirdly named LaunchAgents too. Spotify's updater, various VPN clients, even some printer drivers create LaunchAgents with names that look suspicious if you don't know what they are. Don't delete something just because the name is unfamiliar. Google the identifier first.

Check for Suspicious Kernel Extensions and System Extensions

On macOS Sequoia and Sonoma, most third-party kernel extensions (kexts) have been deprecated in favor of system extensions. But older spyware might still use kexts on machines running Ventura or earlier.

kextstat | grep -v com.apple

This lists every loaded kernel extension that isn't from Apple. On a modern Mac, this list should be short — maybe a virtualization tool like Parallels or a security product. If you see entries you can't identify, investigate them.

For system extensions (the modern replacement):

systemextensionsctl list

Again, look for entries from developers you don't recognize. Legitimate system extensions come from security software, VPN clients, and virtualization tools. Not much else.

Review Privacy Permissions Carefully

Spyware needs permissions to do its job. It needs screen recording access to take screenshots. It needs accessibility access to log keystrokes. It needs microphone or camera access to record you. And it needs full disk access to read your files.

Go to System Settings > Privacy & Security and check each of these categories:

• Screen Recording: Which apps can see your screen? Every app listed here can capture everything you see, including passwords.
• Accessibility: This gives an app the ability to control your Mac and read screen contents. Stalkerware relies on this heavily.
• Full Disk Access: Complete access to your files, including Mail, Messages, and Safari data.
• Input Monitoring: Keystroke logging. If something you don't recognize is here, take it seriously.

Honestly, in my experience, the permissions pane is one of the most revealing places to check. Spyware can hide its processes and its files, but it can't function without these permissions — and macOS records which apps have them.

If you see an app with Accessibility or Input Monitoring access that you don't recognize and didn't grant, that's one of the strongest indicators of stalkerware.

Look at Network Connections

Spyware has to send your data somewhere. That means network connections. Open Terminal and run:

lsof -i -P | grep ESTABLISHED

This shows every active outbound connection. Look for processes you don't recognize connecting to external IP addresses. You can look up any suspicious IP at a service like ipinfo.io:

curl ipinfo.io/203.0.113.42

Replace the IP with the one you're investigating. If it resolves to a hosting provider in a country you have no business connecting to, and the process name is something generic like "helper" or "updater," that warrants further investigation.

For a more targeted check, you can watch network traffic from a specific process:

sudo lsof -i -P -n | grep -i "suspicious_process_name"

CoreLock's network monitor automates this — it tracks every outbound connection, identifies the responsible process, and flags connections to known command-and-control servers or suspicious endpoints. But the manual approach works too if you know what you're looking for.

Check if SIP is Enabled

System Integrity Protection (SIP) is one of macOS's strongest defenses. It prevents even root-level processes from modifying protected system files. If SIP is disabled on your Mac and you didn't disable it yourself, that's a serious problem.

csrutil status

You should see "System Integrity Protection status: enabled." If it says disabled, someone (or something) booted into Recovery Mode and turned it off. This is a prerequisite for certain types of advanced spyware that modify system files.

Re-enable it by restarting into Recovery Mode (hold the power button on Apple Silicon, or Command+R on Intel), opening Terminal from the Utilities menu, and running:

csrutil enable

Check for Pegasus and Advanced Threats

If you have reason to believe you might be targeted by nation-state spyware — you're a journalist, activist, political figure, or work in a sensitive industry — the checks above aren't sufficient. Pegasus-class spyware uses zero-click exploits and can evade most conventional detection methods.

Amnesty International's Mobile Verification Toolkit (MVT) supports macOS analysis. It's a forensic tool that checks for known indicators of compromise associated with Pegasus and similar tools:

pip3 install mvt
mvt-ios check-backup --output /tmp/mvt-results /path/to/backup

MVT is primarily designed for iOS, but the methodology applies. For Mac specifically, you'd analyze an iTunes/Finder backup of an iPhone that syncs with the Mac, since Pegasus primarily targets iOS and can bridge to Mac through shared iCloud data.

I'll be honest — if you're genuinely targeted by something like Pegasus, the most reliable detection method is sending your device to a forensic lab. Amnesty's Security Lab and Citizen Lab at the University of Toronto both do this work. The DIY approach has limits.

The Nuclear Option: IPSW Restore

If you've found evidence of spyware and you want to be absolutely certain it's gone, the most thorough approach is a DFU (Device Firmware Update) restore using an IPSW file. This goes deeper than a normal macOS reinstall.

For Apple Silicon Macs:

1. Connect the infected Mac to another Mac using a USB-C cable
2. Put the infected Mac into DFU mode (the exact button sequence varies by model — Apple has documentation for each)
3. On the second Mac, open Apple Configurator 2
4. Restore the firmware using a clean IPSW image

This reflashes the firmware, not just the OS. It's the closest thing to a factory reset that exists on modern Macs. A standard "Erase All Content and Settings" from System Settings is usually sufficient for stalkerware, but if you're dealing with something more advanced, IPSW restore is the way.

After the restore, set up as a new Mac. Don't restore from a Time Machine backup — the backup might contain the spyware's persistence mechanisms.

What Doesn't Work

A few common suggestions that won't catch real spyware:

Running XProtect alone. Apple's built-in malware scanner checks file signatures against a known database. It's good for commodity malware but doesn't detect commercial stalkerware or state-level spyware. These tools are specifically designed to avoid XProtect's signatures.

Just restarting your Mac. Some older spyware was memory-resident and wouldn't survive a restart. Modern spyware installs persistence mechanisms specifically so it survives reboots. If it's using a LaunchAgent or LaunchDaemon, restarting actually reloads it.

Checking Activity Monitor casually. Sophisticated spyware names its processes to blend in — things like "com.apple.security.agent" or "SystemUIServer_helper." You'd glance right past them. You need to actually verify the code signature and binary path, not just the name.

Building a Regular Checking Habit

I follow Mac security news obsessively — Objective-See's blog, Jamf Threat Labs, SentinelOne's research, Patrick Wardle's talks. The one consistent pattern is that spyware gets caught when someone actually looks. Not by automated tools running in the background, but by someone deliberately checking their LaunchAgents, reviewing their permissions, and watching their network connections.

Make it a monthly habit. Set a calendar reminder. Spend 15 minutes running through the checks in this post. Most months, you'll find nothing, and that's the point — you're confirming that your Mac is clean.

If you want to automate some of this, CoreLock scans LaunchAgents, network connections, process signatures, and privacy permissions in one pass. It flags anything suspicious with a plain-English explanation of what it found and why it's concerning. The free tier gives you three scans per day, which is more than enough for regular monitoring.

Spyware is a solvable problem if you know where to look. Now you do.