The top malware threat for macOS infects one in 10 users

Posted:
in General Discussion
Security firm Kaspersky says that in 2019 the Shlayer Trojan infected one in ten Mac users, opening the door to malicious apps that hide behind fake error messages about users needing to update Flash.

Kaspersky claims that the Mac is proving to be profitable for cyber criminals
Kaspersky claims that the Mac is proving to be profitable for cyber criminals


According to security firm Kapersky, Macs have been the frequent target of what's called the Shlayer Trojan. The company reports that this has been active since at least early 2018, but in 2019 specifically it was the most common threat to macOS. Around 10% of all Macs were attacked with it, and by itself, Shlayer represents 30% of all the Trojans detected on macOS.

The Shlayer Trojan is a delivery mechanism for a variety of malware payloads. It gets onto a Mac and then while not specifically harming the machine itself, it fetches other malicious code, typically adware.

From the user's perspective, there are three stages to what happens. The first is that they click on a link to a site which initiates a download of the Shlayer Trojan to the user's Mac. Kaspersky's report says that "thousands of websites" include this download, typically because the sites partner with cyber criminals.

However, legitimate sites could have this added, too.

"[These include] YouTube, where links to the malicious website were included in video descriptions," says Kaspersky in its report, "and Wikipedia, where such links were hidden in the articles' references."

Typically links take users to advertising pages which try to persuade them to download software. According to Kaspersky, a common method is to display faked messages about Adobe Flash being out of date. The "Download Flash" button actually downloads the Trojan.

A fake Flash update notification on a site. (Source: Kaspersky)
A fake Flash update notification on a site. (Source: Kaspersky)


Once downloaded, the user is prompted to install an application. It doesn't follow macOS's regular installation procedure though. Rather than double-clicking to install, the user is directed to first right-click and choose Open Package.

Then when it has been installed, the Shlayer Trojan itself downloads adware or other such malicious apps. These are still new apps being downloaded onto a Mac and so in theory they cannot be installed without the user's permission -- but there is a way around it.

One type of malware that the Shlayer Trojan installs is a Safari Extension and the Mac does ask if you are sure that you want to use it. However, while macOS is warning that this is an unrecognized extension, Shlayer is overlaying that message with a fake dialog box saying that the installation is complete.

Users see an "Okay" button and click it, but in reality they are clicking a Trust button that macOS was actually displaying. They are telling the Mac that it is okay to install this software, so it does.

The final stage is that, at present, the Mac user can be bombarded with ads. Any browsing can also be affected by targeted ads being presented.

"[Since February 2018] we have collected almost 32,000 different malicious samples of the Trojan," says Kaspersky. "Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals."

Left: what the user sees. Right: what the Mac is actually displaying (Source: Kaspersky)
Left: what the user sees. Right: what the Mac is actually displaying (Source: Kaspersky)


Significantly, Kaspersky says that even though the Trojan was detected almost two years ago, it is still prevalent.

"The operation algorithm has changed little since Shlayer was first discovered, nor has its activity decreased much," the company continues. "[The] number of detections remains at the same level as in the first months after the malware was uncovered."

While Kaspersky reports that this particular Trojan is operating at around the same level as it always has, a separate report from Malwarebytes in April 2019 claims that Mac malware overall has grown enormously.
«13

Comments

  • Reply 1 of 41
    Ok, so where are the instructions for checking to see if you have this and how to remove it?
    alanhTripleTroubledjames4242minicoffeemacseekerdrdavidkingofsomewherehotberndogzroger73jony0
  • Reply 2 of 41
    dysamoriadysamoria Posts: 3,430member
    I hate that garbage like this exists and that there’s seemingly no way to totally stop it. Even legit websites can harbor this crap. Detail-oriented technical people like myself usually see these tricks for what they are, but how are average, non-technical users expected to cope when computers are already so overwhelming for them?

    It makes me totally understand why Apple wants to clamp down as much as possible on their platforms. It’s in their best interest for customers to feel safe buying computers. As a support person, it wasn’t within my ability to control the world or what people do with their computers, but I still had to witness constant abuse of end users, including by legit developers and product-makers. Adding scammers on top... What a hellscape this industry can seem.
    spice-boyGG1mcdavetokyojimurandominternetpersoncornchipwatto_cobrajony0
  • Reply 3 of 41
    jdgazjdgaz Posts: 403member
    Agree with Randominternet person.
    cornchipwatto_cobra
  • Reply 4 of 41
    dysamoria said:
    I hate that garbage like this exists and that there’s seemingly no way to totally stop it. Even legit websites can harbor this crap. Detail-oriented technical people like myself usually see these tricks for what they are, but how are average, non-technical users expected to cope when computers are already so overwhelming for them?
    Exactly. My MIL is constantly in need of help with her computer because of stuff like this. "My computer TOLD ME I needed to update!" is what I usually hear. Like you said, how is she or others like her supposed to know if something is legitimate or not? She certainly isn't new to computers. Her first Mac was a Bondi Blue iMac, she has worked remotely almost every day for the last 5 years, etc. But these sorts of things get her, seemingly every time.
    minicoffeecornchipwatto_cobra
  • Reply 5 of 41
    mwhitemwhite Posts: 287member
    I get update notices for Flash all the time but the only way I will update is going to their web page and do the update, can't trust anything..
    I also use CleanMyMac X it checks my computer for Malware.
    edited January 2020 baconstangwatto_cobra
  • Reply 6 of 41
    ciacia Posts: 248member
    As I don't have flash installed, seeing this pop-up is a dead giveaway that it's a malware link.
    rotateleftbyteredgeminipacornchipradarthekatwatto_cobraktappe
  • Reply 7 of 41
    gatorguygatorguy Posts: 24,176member
    cia said:
    As I don't have flash installed, seeing this pop-up is a dead giveaway that it's a malware link.
    I believe I've read other stories indicating it's not always a fake "Flash Update" button, but sometimes other types of updates a Mac user might have seen before and therefor be prone to trust.
  • Reply 8 of 41
    Ok, so where are the instructions for checking to see if you have this and how to remove it?
    The best thing you can do for most threats is to keep your OS (MacOS, Windows, iOS, Linux) parched and up to date.  This will help protect you against most non zero day threats.
    watto_cobra
  • Reply 9 of 41
    davendaven Posts: 696member
    I guess I'm not one of the one in ten. I removed flash years ago and have closed all pages saying I needed to update Flash. But it would be nice to know of a way to check for the virus.
  • Reply 10 of 41
    maltzmaltz Posts: 453member
    One in 10?  That number is fairly hard to believe, but if it's even in the ballpark, I wonder why macOS' built-in malware protection isn't blocking this more effectively.
    j238randominternetpersonredgeminipacornchipbaconstangwatto_cobra
  • Reply 11 of 41
    neilmneilm Posts: 985member
    One of the best things you can do is actually read the damn alert:
    "Flash might not work be used until you download an update from Adobe."

    Note that:
    1. Adobe has its faults, but their employees aren't illiterate.
    2. If you really do need to update Flash, then yes, download it from Adobe, and not from some random pop-up link.
    3. Almost nobody needs to have Flash.

    Meanwhile, scan with a malware program such as MalwareBytes. The free version works fine.

    Periodically I reread Steve Jobs' famous letter about Flash, just to remind myself how smart the guy was and how right on this subject.
    Andy.Hardwakerandominternetpersoncornchipviclauyycradarthekatbaconstangwatto_cobrabluefire1
  • Reply 12 of 41
    Security firm Kaspersky says that in 2019 the Shlayer Trojan infected one in ten Mac users,
    No it doesn't say that.

    It says "one in ten of our Mac security solutions encountered this malware at least once".

    https://securelist.com/shlayer-for-macos/95724/

    If their "Mac security solutions" are installed on 1/100,000 of total active Macs, the one tenth of that makes 1/1,000,000 of total active Macs.

    edited January 2020 CloudTalkinrandominternetpersonroundaboutnowhawkpride147cornchipradarthekatwatto_cobraktappemaltz
  • Reply 13 of 41
    Seriously?! I mean who really cares what Moscow based Kaspersky says in order to sell their so called products? Give me a break!
    cornchipktappeMacAwesome1984
  • Reply 14 of 41
    jcs2305jcs2305 Posts: 1,336member
    maltz said:
    One in 10?  That number is fairly hard to believe, but if it's even in the ballpark, I wonder why macOS' built-in malware protection isn't blocking this more effectively.
    It comes a page pop up from safari. It's the user giving the permission. People clicking and giving permission to things that they think are legit.. I am not sure how Apple's malware protection can keep that in check.  It's not an automatic process.. the user has to ok it.

    I have seen this pop up on Ipad Safari as well. So it's obviously fake because IOS devices aren't using Flash..

    cornchipwatto_cobra
  • Reply 15 of 41
    sflocalsflocal Posts: 6,092member
    That window could be asking for credit card information, bank PIN’s and there will always be people that will give that info without even thinking about it.
    viclauyycwatto_cobra
  • Reply 16 of 41
    j238j238 Posts: 10member
    There are common instructions for safe computer usage.  Those should include, "Never install or update software in response to a prompt." 
    Everyone on this page can probably tell good prompts from bad, but most people can't.  Prompts for software installation are risky.  They should be abandoned in favor of a more secure process. 
    cornchip
  • Reply 17 of 41
    I have been wondering about the obviously fake Flash update malware installers for the past two decades and why Apple seems unable to squash this obvious attack vector with all the layers of security they have added to Mac OS making the lives of legit developers so difficult?
    viclauyyc
  • Reply 18 of 41
    SoliSoli Posts: 10,035member
    j238 said:
    There are common instructions for safe computer usage.  Those should include, "Never install or update software in response to a prompt." 
    Everyone on this page can probably tell good prompts from bad, but most people can't.  Prompts for software installation are risky.  They should be abandoned in favor of a more secure process. 
    On that same note, never clicks in emails to accounts. Type the website in directly or use a bookmark. A password manager also helps here since it will propagate a U&P for icloud.com, but not iCIoud.com (the latter of which is using an upper-case 'i' instead of an lower-case 'L'). The biggest caveat for this email rule are from known recipients in you address book and email correspondence that you just requested, like 2FA links and password reset links.
    viclauyyc
  • Reply 19 of 41
    apple ][apple ][ Posts: 9,233member
    One type of malware or scam I see from time to time is various emails asking you to reset your password to some site. All of those go straight to the trash.

    I got one from "Facebook" the other day.

    Unfortunately for the scumbags, I've never even had a Facebook account.

    A lot of the malware or scams seem to be coming from illiterate people who are not very bright and also not very fluent in English. 

    A friend of mine got an email from "Apple" last year, telling them to reset their password, and they asked me to take a look at the email, and the grammar was a total joke. 

    (1) Apple would never send out any emails asking people to reset their password
    (2) Apple would never hire monkeys who can't even write in English

    macseeker
  • Reply 20 of 41
    I would wager most of these infections are on Macs that belong to recent switchers. Some of them believe that now that they use a Mac they can click on anything and there will be no consequences. 

    It’s one of the reasons why Malwarebytes is so popular on the Mac platform. 
    baconstang
Sign In or Register to comment.