How the Shlayer Trojan topped the macOS malware charts—despite its “rather ordinary” methods.
The popular misconception that Macs don’t get viruses has become a lot less popular in recent years, as Apple devices have weathered their fair share of bugs. But it’s still surprising that the most prolific malware on macOS—by one count, affecting one in 10 devices—is so relatively crude.
This week, antivirus company Kaspersky detailed the 10 most common threats its macOS users encountered in 2019. At the top of the list: the Shlayer Trojan, which hit 10 percent of all of the Macs Kaspersky monitors, and accounted for nearly a third of detections overall. It’s led the pack since it first arrived in February 2018.
You’d think that such prevalence could only be achieved by comparable sophistication. Not so! “From a technical viewpoint Shlayer is a rather ordinary piece of malware,” Kaspersky wrote in its analysis. In fact, it relies on some of the oldest tricks in the books: convincing people to click on a bad link, then pushing a fake Adobe Flash update. Even the trojan’s payload turns out to be ho-hum: garden variety adware.
Shlayer’s brilliance, it turns out, lies less in its code than its method of distribution. The operators behind the trojan reportedly offer website owners, YouTubers, and Wikipedia editors a cut if they push visitors toward a malicious download. A complicit domain might prompt a phony Flash download, while a shortened or masked link in a YouTube video’s description or Wikipedia footnote might initiate the same. Kaspersky says it counted more than 1,000 partner sites distributing Shlayer. One individual, Kaspersky says, currently owns 700 domains that redirect to Shlayer download landing pages.
“Distribution is a vital part of any malware campaign, and Shlayer shows that affiliate networks are pretty effective in this sense,” says Vladimir Kuskov, head of advanced threat research and software classification at Kaspersky.
While Shlayer is simple, the adware it installs—a wide variety, since Shlayer itself is just a delivery mechanism—can deploy at least a modestly clever trick or two. In an instance of Cimpli adware that Kaspersky observed, the malware first poses as another program, in this case Any Search. In the background, Cimpli attempts to install a malicious Safari extension, and generates a fake “Installation Complete” notification window to cover up the macOS security notification that warns you against doing so. It tricks you, in other words, into granting permission to let it run amok on your device.
Once you do, the attacker can both intercept your search queries and seed the results with their own ads. It’s an annoyance, more than anything. But given that over 100 million people use macOS, and it hits at least 10 percent of those with Kaspersky installed, it’s reasonable to assume that millions of Mac users deal with it every year. It’s not clear how many it actually infects; a thunderstorm drops rain on lots of houses, but only a handful leak. But even if only a small percentage of those attempts prove successful, it’s apparently enough to keep the operation going.
“Apple does a great job making their OS more and more secure with every new release,” says Kuskov. “But it is hard to prevent such attacks on the OS level, since it’s the user who clicks on a link and downloads Shlayer and runs it, like any other software.”
While Flash might seem like an outdated lure, given the numerous public warnings about its fallibility and the fact that it’s dying off completely this year anyway, it’s actually perversely effective.
“I think the reason why fake Flash Players are so successful, in spite of these facts, is twofold,” says Joshua Long, chief security analyst at Intego, which first discovered Shlayer nearly two years ago. “Force of habit, and lack of awareness of the current state of Flash.”
To the first point, people have been so accustomed to serious Flash vulnerabilities that they’re conditioned to update ASAP to avoid calamity. As for the second, Long says, “the average consumer has no idea that Flash is rarely used by modern sites, that Flash installers are no longer necessary, or that Flash is being terminated this year.”
None of which means Mac owners are especially susceptible. “The techniques used to deceive users to install Shlayer also work fine with users of any other platform and OS,” Kaspersky’s Kuskov says.
The best ways to protect yourself from Shlayer and other malware are similarly universal. Don’t click suspicious links, especially not surprise pop-up windows. And don’t install Flash in the year of our lord 2020—especially not from a site that’s promising a pirated livestream.
All Rights Reserved for Brian Barrett