MacOS – As part of “nuking it from orbit”, is it safe to reinstall the OS using Recovery

macosrecovery

Context: I've erased my hard drive and had OS El Capitan reinstalled via a bootable drive from a Genius Bar many times leading up to me asking this question. After going through the process of erasing + reinstalling + setting up preferences/calendars + changing passwords etc, the day after there have always been little things that were noticeable enough to arouse suspicion regarding a RAT/trojan on my Macbook (minor changes to iCal entries I definitely didn't make etc).

Recently, I tried a different route: I erased the hard drive and reinstalled the OS via Recovery using an Apple store's wifi. But even after doing this, I noticed the day after of setting up my Macbook as new again that one of my iCal entries were edited that I didn't make…

However, I read somewhere that it's best to reinstall the OS from a non-recovery partition source because if there is/was a RAT/trojan on my Macbook, said RAT/trojan could modify some files in the recovery partition without my knowledge thus leading me to unwittingly install a backdoored OS. Does this seem plausible? Should I once again try and erase/reinstall the OS from a bootable drive at a Genius Bar?

Best Answer

You are correct - a suitably advanced attacker could technically rewrite the OS on the recovery HD to point it to a bad source when you reinstall the OS.

Better would to be use internet recovery since that would require even more advanced work to compromise the firmware on the Mac.

Best would be to bring a bootable installer from a machine you have more confidence hasn’t been comnptromised.

In 98% of the time - all of the above steps to erase the hard drive and reinstall the OS are going to be equally effective, but there are increased levels of safety to be had than just using the self-contained recovery HD.