The top malware threat for macOS infects one in 10 users

2

Comments

  • Reply 21 of 41
    Security firm Kaspersky says that in 2019 the Shlayer Trojan infected one in ten Mac users,
    No it doesn't say that.

    It says "one in ten of our Mac security solutions encountered this malware at least once".

    https://securelist.com/shlayer-for-macos/95724/

    If their "Mac security solutions" are installed on 1/100,000 of total active Macs, the one tenth of that makes 1/1,000,000 of total active Macs.


    While I get what you're trying to say, your math is wrong.

    If 1 in 1,000 people surveyed had the malware then you'd have 1,000 out of 1,000,000 and so on. As long as the 1,000 is a representative sample of all users, then you can extrapolate the entire infection rate from that sample.

    What you're implying is that only users of Kaspersky products are seeing this malware.


    That said, the title is incorrect. It implies that 10% of the entire Mac user base has an infected computer, when Kaspersky is saying that 10% of users will see this attack show up. There's a big difference between an attempted attack (extremely common) and a successful installation of malware (far less common).
    Solitokyojimuroundaboutnowkayessradarthekatknowitallmaltz
     5Likes 0Dislikes 2Informatives
  • Reply 22 of 41
    john.bjohn.b Posts: 2,742member
    One type of malware that the Shlayer Trojan installs is a Safari Extension and the Mac does ask if you are sure that you want to use it. However, while macOS is warning that this is an unrecognized extension, Shlayer is overlaying that message with a fake dialog box saying that the installation is complete.

    Users see an "Okay" button and click it, but in reality they are clicking a Trust button that macOS was actually displaying. They are telling the Mac that it is okay to install this software, so it does.

    Left: what the user sees. Right: what the Mac is actually displaying (Source: Kaspersky)
    Left: what the user sees. Right: what the Mac is actually displaying (Source: Kaspersky)
    An application should never, ever be allowed to layer a window or dialog box over the top (i.e. a higher z-order) of a system notification. Even that company in Redmond figured this out (back in Vista IIRC).
    radarthekatbaconstang
     2Likes 0Dislikes 0Informatives
  • Reply 23 of 41
    mcdavemcdave Posts: 1,927member
    dysamoria said:
    I hate that garbage like this exists and that there’s seemingly no way to totally stop it. Even legit websites can harbor this crap. Detail-oriented technical people like myself usually see these tricks for what they are, but how are average, non-technical users expected to cope when computers are already so overwhelming for them?
    Exactly. My MIL is constantly in need of help with her computer because of stuff like this. "My computer TOLD ME I needed to update!" is what I usually hear. Like you said, how is she or others like her supposed to know if something is legitimate or not? She certainly isn't new to computers. Her first Mac was a Bondi Blue iMac, she has worked remotely almost every day for the last 5 years, etc. But these sorts of things get her, seemingly every time.
    iPad (+ keyboard)
    john.b
     1Like 0Dislikes 0Informatives
  • Reply 24 of 41
    mcdavemcdave Posts: 1,927member
    So Adware is unsolicited, unwanted code which convinces the user to pay money for products they don’t really need.
    Like Kaspersky & Malware Bytes.
    MacPro
     1Like 0Dislikes 0Informatives
  • Reply 25 of 41
    So... a Russian owned computer security company is throwing out red flags and fear mongering to push sales of its software... Sure... No financial gain for that kinda BS... Just having GateKeeper enabled will help thwart such crap from infecting a Mac. Considering the tech savvy level of the average user, GateKeeper will catch it before it's a problem. No need to waste money on Putinerskry software. Another clickbait article. 
    edited January 2020
    MacPromacplusplus
     2Likes 0Dislikes 0Informatives
  • Reply 26 of 41
    daven said:
    I guess I'm not one of the one in ten. I removed flash years ago and have closed all pages saying I needed to update Flash. But it would be nice to know of a way to check for the virus.
    Malwarebytes is plenty good, even the free version.
    viclauyyc
     1Like 0Dislikes 0Informatives
  • Reply 27 of 41
    MacPromacpro Posts: 19,873member
    daven said:
    I guess I'm not one of the one in ten. I removed flash years ago and have closed all pages saying I needed to update Flash. But it would be nice to know of a way to check for the virus.
    Malwarebytes is plenty good, even the free version.
    I though the free version expires after 14 day, am I wrong?
     0Likes 0Dislikes 0Informatives
  • Reply 28 of 41
    john.bjohn.b Posts: 2,742member
    MacPro said:
    Malwarebytes is plenty good, even the free version.
    I though the free version expires after 14 day, am I wrong?
    14 days should be sufficient to cleanup a malware infestation.
     0Likes 0Dislikes 0Informatives
  • Reply 29 of 41
    Security firm Kaspersky says that in 2019 the Shlayer Trojan infected one in ten Mac users,
    No it doesn't say that.

    It says "one in ten of our Mac security solutions encountered this malware at least once".

    https://securelist.com/shlayer-for-macos/95724/

    If their "Mac security solutions" are installed on 1/100,000 of total active Macs, the one tenth of that makes 1/1,000,000 of total active Macs.


    While I get what you're trying to say, your math is wrong.

    If 1 in 1,000 people surveyed had the malware then you'd have 1,000 out of 1,000,000 and so on. As long as the 1,000 is a representative sample of all users, then you can extrapolate the entire infection rate from that sample.

    What you're implying is that only users of Kaspersky products are seeing this malware.


    That said, the title is incorrect. It implies that 10% of the entire Mac user base has an infected computer, when Kaspersky is saying that 10% of users will see this attack show up. There's a big difference between an attempted attack (extremely common) and a successful installation of malware (far less common).
    Yes I mean exactly that.

    The point is, one can't extrapolate the entire infection rate from that very very specific and and tiny sample made of Kaspersky Mac users. Kaspersky or any anti-virus tool is not a common utility on the Mac platform. When you buy a new Mac no one will suggest to buy an anti-virus alongside, as it is common in the PC world. If there exist some Mac user base who take Kaspersky into serious they must have very serious reasons to do so: either they belong to some corporation/institution under continuous targeted attacks, or they are that kind of users who don't have afraid of frequently visiting the dark fringes of the Internet such as unregulated porn sites or piracy sites. Those are not representative samples of the totality of active Mac users, neither are Windows switchers who install those by habit.

    Besides, macOS Catalina prevents unsolicited downloads by requesting permission from users for every site. As long as Catalina installation rate increases, that malware issue will become more and more marginal on the Mac platform.
    edited January 2020
    radarthekat
     1Like 0Dislikes 0Informatives
  • Reply 30 of 41
    This is a good article and good information, but I absolutely don't trust Kaspersky. It's a Russian company with ties to election hacking. Although their software itself might do a good job with detecting viruses, I'm not convinced that they're not also monitoring our behavior, or at least setting things up to do so. If you look in the Android play store or the Apple store, you see around a dozen Kaspersky apps, all of which require access to your system. Even if you use just two or three of them, Kaspersky could have access to everything you do including your camera your microphone, even keystrokes. I'm just not convinced that they're not setting this up while millions of us use their software. They have the capability to mine incredible amounts of intimate and private data about us. Kaspersky applications are banned by the Pentagon. That should raise flags.
    edited January 2020
    baconstang
     1Like 0Dislikes 0Informatives
  • Reply 31 of 41
    MacOS, iOS, WatchOS and iPadOS. Keep all Malware, anti-virus, porn sites and security apps well away from your equipment. For 40 years Apple computers and some Apple ancillary tech have passed through my hands and I have never yet seen a single byte of malicious code.

     0Likes 0Dislikes 0Informatives
  • Reply 32 of 41
    MplsPmplsp Posts: 4,177member
    Seriously?! I mean who really cares what Moscow based Kaspersky says in order to sell their so called products? Give me a break!
    So... a Russian owned computer security company is throwing out red flags and fear mongering to push sales of its software... Sure... No financial gain for that kinda BS... Just having GateKeeper enabled will help thwart such crap from infecting a Mac. Considering the tech savvy level of the average user, GateKeeper will catch it before it's a problem. No need to waste money on Putinerskry software. Another clickbait article. 
    So do you have any evidence to refute what was presented? 
     0Likes 0Dislikes 0Informatives
  • Reply 33 of 41
    davidwdavidw Posts: 2,184member
    apple ][ said:
    One type of malware or scam I see from time to time is various emails asking you to reset your password to some site. All of those go straight to the trash.

    I got one from "Facebook" the other day.

    Unfortunately for the scumbags, I've never even had a Facebook account.

    A lot of the malware or scams seem to be coming from illiterate people who are not very bright and also not very fluent in English. 

    A friend of mine got an email from "Apple" last year, telling them to reset their password, and they asked me to take a look at the email, and the grammar was a total joke. 

    (1) Apple would never send out any emails asking people to reset their password
    (2) Apple would never hire monkeys who can't even write in English

    The dead give away that an email asking to reset your password or that your account has been disabled or that  there's a problem with your CC number, etc., is fake is that the email addresses you with, "Dear (company name) Customer" or Dear (your email address). Companies like Apple, Netflix, Amazon, PayPal, eBay, your bank, etc. knows your real name and will always address you using your real name or the name you use for your account. They will never send you an email concerning official matter, that addresses you with a generic term that can apply to anyone that has an account with them.
    edited January 2020
     0Likes 0Dislikes 0Informatives
  • Reply 34 of 41
    knowitallknowitall Posts: 1,648member
    It seems a right punishment for still using Flash.
     0Likes 0Dislikes 0Informatives
  • Reply 35 of 41
    knowitallknowitall Posts: 1,648member
    Security firm Kaspersky says that in 2019 the Shlayer Trojan infected one in ten Mac users,
    No it doesn't say that.

    It says "one in ten of our Mac security solutions encountered this malware at least once".

    https://securelist.com/shlayer-for-macos/95724/

    If their "Mac security solutions" are installed on 1/100,000 of total active Macs, the one tenth of that makes 1/1,000,000 of total active Macs.


    While I get what you're trying to say, your math is wrong.

    If 1 in 1,000 people surveyed had the malware then you'd have 1,000 out of 1,000,000 and so on. As long as the 1,000 is a representative sample of all users, then you can extrapolate the entire infection rate from that sample.

    What you're implying is that only users of Kaspersky products are seeing this malware.


    That said, the title is incorrect. It implies that 10% of the entire Mac user base has an infected computer, when Kaspersky is saying that 10% of users will see this attack show up. There's a big difference between an attempted attack (extremely common) and a successful installation of malware (far less common).
    Almost Correct.
    I do think its probable that “only users of Kaspersky products are seeing this malware” because they do not represent a representative sample (of Mac users). Because a real Mac user knows that a virus scanner on a Mac is nonsense, so they are probably susceptible to nonsense like Flash and look at all the wrong internet places.
     0Likes 0Dislikes 0Informatives
  • Reply 36 of 41
    ktappektappe Posts: 830member
    I can't wait for 10.16 which rumors say will disallow any use of Flash whatsoever. Bye bye Flash! And with you goes this attack vector.
     0Likes 0Dislikes 0Informatives
  • Reply 37 of 41
    DuhSesameduhsesame Posts: 1,278member
    WUT?

    Do 10% of people really believe that's a legit window to click with???  Can't they tell it's in the browser?
     0Likes 0Dislikes 0Informatives
  • Reply 38 of 41
    Jonny Kjonny k Posts: 9unconfirmed, member
    I work in Mac Tech support. This is complete rubbish. In the last year in the hundreds of Macs that I support it has appeared once. this is just anti virus sales pitch.
     0Likes 0Dislikes 0Informatives
  • Reply 39 of 41
    I wouldn't trust Kaspersky to handle a dingleberry stuck to my Ass!
     0Likes 0Dislikes 0Informatives
  • Reply 40 of 41
    When I see a similar message (rarely), I do the following:  
    1. Immediately quit Safari and avoid the website for a few days - suspect the malware is present in ads within normally safe sites.
    2. Disconnect internet cable (I rarely enable Wi-Fi).
    3. Relaunch Safari (with no internet connection).
    4. Click Safari --> Preferences --> Privacy --> Manage Website Data --> Press Remove All --> Press Done and close popup window.
    5. Close Safari.
    6. Launch system preferences and clear all downloads in Flash Player and Java (will be glad to see the former gone in 10.16.x).
    7. Power cycle cable modem.
    8. Restart Mac.
    9. Run an antivirus... scan (I've used various products over the years Norton, McAfee, Sophos...) I prefer ones that have anti-ransomware abilities. Some of these will prevent opening websites known to have malware (and may catch things that have yet to be seen by Apple protective code).  Some depend on catching suspicious behavior rather than specific virus... signatures; most are updated more frequently than Apple's protective code.  
    10. If need be, access the site for several days using a backup Chromebook. Suspect I could load Chrome or Firefox on the Mac, and use those for the site that seems to have infected ads. I assume the bad actors target one browser at a time. Each browser has its unpatched weaknesses. Different code may be needed to compromise different web browsers.  

    Would take similar actions on ANY computer or web browser that displayed such a message. Received a lot of phishing emails over the holidays that were supposedly from banks, Netflix and Apple. Sent these to abuse@xyz (where xyz is the company's website). Only problem I had was with Netflix, who responded back to use phishing@Netflix). Bank was the only one to respond with a specific confirmation. Nada from the others. These attempted attacks seem to peak around holidays (maybe the bad actors assume some folks will be more likely to click on links due to higher intake of alcohol during the holidays).  Good idea to copy these to the company they are imitating.  If you clicked on a a phishing email, be SURE to change your password if you logged onto a site that can charge you money or has sensitive data.  

    No matter what protections are built into an operating system or web browser, it is a constant cat and mouse game. The white hats will build a better mouse trap, and the black hats will build a better mouse.
    edited January 2020
     0Likes 0Dislikes 0Informatives
Sign In or Register to comment.