How to Identify and Remove ‘mshelper’ Mac Malware

If your Mac seems to be running with a significantly reduced battery life for no reason or the fan seems to be in overdrive, it might be advisable to check for a certain malware that is currently making the rounds.

According to a new report from 9to5Mac, people have been describing a certain process called “mshelper” using a lot of CPU usage for no apparent reason. Not much is known about the malware so far, but according to the report, it is likely to be either some form of adware or cryptocurrency miner.

There is currently no evidence that “mshelper” is a virus, so a likely explanation for its spread is an incognito download alongside the download of another application. It’s not a zero-day exploit either, as a result of it not being a new vulnerability that the malware is exploiting.

To check for mshelper, launch Activity Monitor and then click on the CPU tab to sort by highest CPU usage. If mshelper is on your Mac, it should show up near the top of the list.

If it is present, simply killing the process doesn’t fix things, as it will restart itself. But you can remove it from your system by deleting the following two files:

  1. /Library/LaunchDaemons/com.pplauncher.plist
  2. /Library/Application Support/pplauncher/pplauncher

The Reddit and Apple Support threads mention a utility called “EtreCheck” that is said to be able to find the malware, even when other apps can’t. We can’t vouch for its accuracy, so run that one at your own risk.

Until Apple adds the malware to their macOS blacklist to disable it, the above should solve it short term.