Shlayer malware puts thousands of macOS devices at risk

MacBook Pro
(Image credit: Future)

Although macOS is traditionally considered to be a safe and secure operating system, cybercriminals are still trying to profit from macOS users according to new research from Kaspersky that revealed the Shlayer malware was the most widespread macOS threat last year.

The malware itself specializes in installing adware on users' devices which feeds illicit ads, intercepts and gathers users' browser queries and modifies search results to distribute even more advertising messages.

Between January and November of last year, Shlayer's share among all attacks on macOS devices registered by Kaspersky products amounted to 29.28 percent and nearly all other top 10 macOS threats were from adware installed by the malware which includes AdWare.OSX.Bnodlero, AdWare.OSX.Geonei, AdWare.OSX.Pirrit and AdWare.OSX.Cimpli.

Since Shlayer was first detected, its infection algorithm has hardly changed despite the fact that its activity has barely decreased, which makes it an especially relevant threat that macOS users need to be aware of.

Shlayer malware

Shlayer's infection process often consists of two phases, with a user first installing the malware and then it installs a selected type of adware. Device infection however, begins with a user downloading the malicious program and the cybercriminals behind Shlayer have created a malware distribution system with a number of channels to increase the malware's chances of being installed.

Shlayer is offered as a way to monetize websites through a number of file partner programs that provide relatively high payment for each malware installation made by American users. Currently there are over 1,000 partner sites used to distribute the malware.

The scheme begins when a user searches for a TV series or sports match and advertising landing pages redirect them to fake Flash Player update pages where Shlayer can be downloaded. However, other schemes redirect users to these fake update pages from popular online services including YouTube, where links to these malicious sites are included in video description, and Wikipedia, where links are hidden in an articles' references.

Security analyst at Kaspersky, Anton Ivanov explained why cybercriminals continue to target macOS users in a press release, saying:

“The macOS platform is a good source of revenue for cybercriminals, who are constantly looking for new ways to deceive users, and actively use social engineering techniques to spread their malware. This case demonstrates that such threats can be found even on legitimate sites. Luckily for macOS users, the most widespread threats that target macOS currently revolve around feeding illicit advertising, rather than something more dangerous, such as stealing financial data. A good web security solution can protect users from threats such as these, making the experience of searching the web safe and pleasant.”

To prevent falling victim to Shlayer, the security firm recommends installing programs and updates only from trusted sources, carefully researching the entertainment websites you plan to watch content on and using an internet security suite for additional protection.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.