yellow said:
To be effective, it would require your admin password to be entered.. whereas in Windows, there's no such beast.
The reasons trojans are so effective, is that they also have a legitimate, useful purpose that entices users to install them; so many users would blissfully enter in their admin password to install them, and then the damage is done.
Not that installers are necessary, if the trojan is an application on a disk image (drag install), no admin password is prompted for or required - unless you're a non-admin user dragging it to a location such as Applications.
In any case, even if the user is logged as a non-admin, the trojan could easily still scan his emails, and files in his home folder, search for useful data (bank details, credit card details, social security etc.), possibly now even faster with the Spotlight API, and the OS offers no impediment.
The only thing OSX really protects in this case is the System itself, and that's the one thing that's of little interest for a spying trojan, and if damaged can be easily replaced with a reinstall. It's the user's personal data which is more sensitive, and more likely to be irreplaceable; and there's nothing impeding a trojan there on OSX.