Viruses and malicious code are not what you'd normally think about when considering the most popular non-compressed audio file format in history, WAV. Yet, it seems music makers and consumers alike could be at risk of transfering malicious code through wave audio files.
According to ZDNet, there have been two recent instances where malicious code has been found lurking beneath the surface in WAV audio files using a process of 'hiding' the malicious code called steganography.
"Using steganography has been popular with malware operators for more than a decade. Malware authors don't use steganography to breach or infect systems, but rather as a transfer method. Steganography allows files hiding malicious code to bypass security software that whitelists non-executable file formats (such as multimedia files)."
Graphic files like PNG and Jpeg have more traditionally be utilised by malware authors. However, 2019 has seen WAV files being used. While these file types can't self-execute, there are sophisticated ways that malware authors can trigger the code inside multimedia by using other software already downloaded onto the host's computer.
The two instances where WAV files have been used for malware are fairly different. Symantec described the first instance as being an espionage attack that targeted a government state.
The second instance saw "each WAV file coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise)." It appears this method uses XMRig Monero CPU miner for financial gain by mining cryptocurrencies.
One of the reasons malware makers use multimedia files to transfer the malware is that security software tends not to be able to block all graphic and audio file types and discriminate which is hiding a DLL file with malware and which isn't.
But what can a conscious musician or producer do to prevent an issue? So, far it appears the executable aspect for this malware is for Windows PC and server platforms, not Mac. However, that can change overnight and it doesn't mean that WAV file you downloaded from that torrent is safe just because you use a Mac.
In fact, good advice would be to only download WAV files from audio production and sample library websites you trust. Obviously whatever files you create in your DAW will be OK as before, so look out for free samples or music being offered which doesn't quite add up.
As malware authors become more sophisticated, creators and computer users need to keep themselves safer than ever before... so, please be careful and avoid pirating music / sample libraries and keep yourself and your friends OK