Getty
If there’s one sneaky malware that Mac users should be worried about, it’s the Shlayer Trojan. In the comparatively safe walled garden of MacLand, it’s the nearest thing to a viral plague you will find. According to Kaspersky, 10% of all the installs of their security on-device software detected the malware “at least once,” and it has accounted for almost one-third of all its Mac detections since first seen in 2018.
Shlayer is designed to target users with ads—but to do so, it can intercept browser searches to ensure the right results are returned and link to its command and control server to apply some intelligence to the adware it is displaying. As expected with a virus in any world, Shlayer has evolved and mutated. Kaspersky has seen “32,000 different malicious samples of the Trojan and identified 143 C&C server domains.”
Kaspersky
Shlayer tricks users into downloading its payload by hiding on legitimate sites visited by millions. “Looking for the latest episode of your favorite TV show?” Kaspersky warns. “Want to watch a live broadcast of a soccer match? Then take extra care, since the chances of a run-in with Shlayer are high.” The malware’s operators pay partners to host links on such sites. And there are lots of them. “The prospect of a juicy profit likely contributed to the popularity of the offer—we counted more than 1,000 partner sites distributing Shlayer.”
Those advertising “file partner programs” direct users to the malware downloads, “nicely crafted fake pages prompting to install the malware under the veil of a Flash Player update.” We have all spent years “updating Flash” and so likely click without much thought. Shlayer’s operators have also used partners to plant links to their download sites in the description of YouTube videos and Wikipedia entires. Hiding on hyper-popular sites like YouTube and Wikipedia is all part of its socially engineered process. Most Shlayer attacks hit users in the U.S. (31%), Germany (14%), France (10%) and the UK (10%).
With so many partner sites and links from leading internet platforms, it is not surprising that Kaspersky “can conclude that the macOS platform is a good source of revenue for cybercriminals—attackers are adept in the art of social engineering, and it is hard to predict how sophisticated the next deception technique will be.”
So how do you protect yourself? Simple. Be very cautious whenever following links to watch TV shows or live sporting events. Such sites are circumventing content protection, when they’re real, and are a likely source of risk. Worse, though, most of the links are simply traps to send you on a malicious online journey. Beyond that, don’t download or update Flash from anywhere other than an official Adobe website. If you’re a Safari user, Apple may be about to take that decision out of your hands in any case, dropping Flash from future versions of its browser.
