![](\"https:\/\/media.wired.com\/photos\/5e2c73920350e10008e08ce6\/master\/pass\/Security_macbook_618599172.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Sat, 25 Jan 2020 17:10:55 +0000<\/strong><\/p>\n Brian Barrett<\/span><\/a><\/span> <\/span><\/p>\n How the Shlayer Trojan topped the macOS malware charts—despite its \u201crather ordinary\u201d methods.<\/p>\n The popular misconception that Macs don\u2019t get viruses has become a lot less popular in recent years, as Apple devices have weathered their fair share<\/a> of bugs. But it\u2019s still surprising that the most prolific malware on macOS\u2014by one count, affecting one in 10 devices\u2014is so relatively crude.<\/p>\n This week, antivirus company Kaspersky detailed the 10 most common threats its macOS users encountered in 2019. At the top of the list: the Shlayer Trojan, which hit 10 percent of all of the Macs Kaspersky monitors, and accounted for nearly a third of detections overall. It\u2019s led the pack since it first arrived in February 2018.<\/p>\n You\u2019d think that such prevalence could only be achieved by comparable sophistication. Not so! \u201cFrom a technical viewpoint Shlayer is a rather ordinary piece of malware,\u201d Kaspersky wrote<\/a> in its analysis. In fact, it relies on some of the oldest tricks in the books: convincing people to click on a bad link, then pushing a fake Adobe Flash update. Even the trojan\u2019s payload turns out to be ho-hum: garden variety adware<\/a>.<\/p>\n Shlayer\u2019s brilliance, it turns out, lies less in its code than its method of distribution. The operators behind the trojan reportedly offer website owners, YouTubers, and Wikipedia editors a cut if they push visitors toward a malicious download. A complicit domain might prompt a phony Flash download, while a shortened or masked link in a YouTube video\u2019s description or Wikipedia footnote might initiate the same. Kaspersky says it counted more than 1,000 partner sites distributing Shlayer. One individual, Kaspersky says, currently owns 700 domains that redirect to Shlayer download landing pages.<\/p>\n \u201cDistribution is a vital part of any malware campaign, and Shlayer shows that affiliate networks are pretty effective in this sense,\u201d says Vladimir Kuskov, head of advanced threat research and software classification at Kaspersky.<\/p>\n While Shlayer is simple, the adware it installs\u2014a wide variety, since Shlayer itself is just a delivery mechanism\u2014can deploy at least a modestly clever trick or two. In an instance of Cimpli adware that Kaspersky observed, the malware first poses as another program, in this case Any Search. In the background, Cimpli attempts to install a malicious Safari extension, and generates a fake \u201cInstallation Complete\u201d notification window to cover up the macOS security notification that warns you against doing so. It tricks you, in other words, into granting permission to let it run amok on your device.<\/p>\n Once you do, the attacker can both intercept your search queries and seed the results with their own ads. It\u2019s an annoyance, more than anything. But given that over 100 million people use macOS, and it hits at least 10 percent of those with Kaspersky installed, it\u2019s reasonable to assume that millions of Mac users deal with it every year. Even if only a small percentage of those attempts prove successful, it\u2019s apparently enough to keep the operation going.<\/p>\n \u201cApple does a great job making their OS more and more secure with every new release,\u201d says Kuskov. \u201cBut it is hard to prevent such attacks on the OS level, since it's the user who clicks on a link and downloads Shlayer and runs it, like any other software.\u201d<\/p>\n While Flash might seem like an outdated lure, given the numerous public warnings about its fallibility<\/a> and the fact that it\u2019s dying off completely this year<\/a> anyway, it\u2019s actually perversely effective.<\/p>\n \u201cI think the reason why fake Flash Players are so successful, in spite of these facts, is twofold,\u201d says Joshua Long, chief security analyst at Intego, which first discovered Shlayer nearly two years ago. \u201cForce of habit, and lack of awareness of the current state of Flash.\u201d<\/p>\n To the first point, people have been so accustomed to serious Flash vulnerabilities that they\u2019re conditioned to update ASAP to avoid calamity. As for the second, Long says, \u201cthe average consumer has no idea that Flash is rarely used by modern sites, that Flash installers are no longer necessary, or that Flash is being terminated this year.\u201d<\/p>\n None of which means Mac owners are especially susceptible. \u201cThe techniques used to deceive users to install Shlayer also work fine with users of any other platform and OS,\u201d Kaspersky\u2019s Kuskov says.<\/p>\n The best ways to protect yourself from Shlayer and other malware are similarly universal. Don\u2019t click suspicious links, especially not surprise pop-up windows. Don\u2019t install Flash in the year of our lord 2020, especially not from a site that\u2019s promising a pirated livestream.<\/p>\n