Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

The top malware threat for macOS infects one in 10 users

Kaspersky claims that the Mac is proving to be profitable for cyber criminals

Security firm Kaspersky says that in 2019 the Shlayer Trojan infected one in ten Mac users, opening the door to malicious apps that hide behind fake error messages about users needing to update Flash.

According to security firm Kapersky, Macs have been the frequent target of what's called the Shlayer Trojan. The company reports that this has been active since at least early 2018, but in 2019 specifically it was the most common threat to macOS. Around 10% of all Macs were attacked with it, and by itself, Shlayer represents 30% of all the Trojans detected on macOS.

The Shlayer Trojan is a delivery mechanism for a variety of malware payloads. It gets onto a Mac and then while not specifically harming the machine itself, it fetches other malicious code, typically adware.

From the user's perspective, there are three stages to what happens. The first is that they click on a link to a site which initiates a download of the Shlayer Trojan to the user's Mac. Kaspersky's report says that "thousands of websites" include this download, typically because the sites partner with cyber criminals.

However, legitimate sites could have this added, too.

"[These include] YouTube, where links to the malicious website were included in video descriptions," says Kaspersky in its report, "and Wikipedia, where such links were hidden in the articles' references."

Typically links take users to advertising pages which try to persuade them to download software. According to Kaspersky, a common method is to display faked messages about Adobe Flash being out of date. The "Download Flash" button actually downloads the Trojan.

A fake Flash update notification on a site. (Source: Kaspersky) A fake Flash update notification on a site. (Source: Kaspersky)

Once downloaded, the user is prompted to install an application. It doesn't follow macOS's regular installation procedure though. Rather than double-clicking to install, the user is directed to first right-click and choose Open Package.

Then when it has been installed, the Shlayer Trojan itself downloads adware or other such malicious apps. These are still new apps being downloaded onto a Mac and so in theory they cannot be installed without the user's permission — but there is a way around it.

One type of malware that the Shlayer Trojan installs is a Safari Extension and the Mac does ask if you are sure that you want to use it. However, while macOS is warning that this is an unrecognized extension, Shlayer is overlaying that message with a fake dialog box saying that the installation is complete.

Users see an "Okay" button and click it, but in reality they are clicking a Trust button that macOS was actually displaying. They are telling the Mac that it is okay to install this software, so it does.

The final stage is that, at present, the Mac user can be bombarded with ads. Any browsing can also be affected by targeted ads being presented.

"[Since February 2018] we have collected almost 32,000 different malicious samples of the Trojan," says Kaspersky. "Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals."

Left: what the user sees. Right: what the Mac is actually displaying (Source: Kaspersky) Left: what the user sees. Right: what the Mac is actually displaying (Source: Kaspersky)

Significantly, Kaspersky says that even though the Trojan was detected almost two years ago, it is still prevalent.

"The operation algorithm has changed little since Shlayer was first discovered, nor has its activity decreased much," the company continues. "[The] number of detections remains at the same level as in the first months after the malware was uncovered."

While Kaspersky reports that this particular Trojan is operating at around the same level as it always has, a separate report from Malwarebytes in April 2019 claims that Mac malware overall has grown enormously.



41 Comments

randominternetperson 8 Years · 3101 comments

Ok, so where are the instructions for checking to see if you have this and how to remove it?

dysamoria 12 Years · 3430 comments

I hate that garbage like this exists and that there’s seemingly no way to totally stop it. Even legit websites can harbor this crap. Detail-oriented technical people like myself usually see these tricks for what they are, but how are average, non-technical users expected to cope when computers are already so overwhelming for them?

It makes me totally understand why Apple wants to clamp down as much as possible on their platforms. It’s in their best interest for customers to feel safe buying computers. As a support person, it wasn’t within my ability to control the world or what people do with their computers, but I still had to witness constant abuse of end users, including by legit developers and product-makers. Adding scammers on top... What a hellscape this industry can seem.

ihatescreennames 19 Years · 1977 comments

dysamoria said:
I hate that garbage like this exists and that there’s seemingly no way to totally stop it. Even legit websites can harbor this crap. Detail-oriented technical people like myself usually see these tricks for what they are, but how are average, non-technical users expected to cope when computers are already so overwhelming for them?

Exactly. My MIL is constantly in need of help with her computer because of stuff like this. "My computer TOLD ME I needed to update!" is what I usually hear. Like you said, how is she or others like her supposed to know if something is legitimate or not? She certainly isn't new to computers. Her first Mac was a Bondi Blue iMac, she has worked remotely almost every day for the last 5 years, etc. But these sorts of things get her, seemingly every time.

mwhite 9 Years · 287 comments

I get update notices for Flash all the time but the only way I will update is going to their web page and do the update, can't trust anything..
I also use CleanMyMac X it checks my computer for Malware.