The Sneaky Simple Malware That Hits Millions of Macs

https://www.wired.com/story/macos-shlayer-trojan-adware/

The popular misconception that Macs don’t get viruses has become a lot less popular in recent years, as Apple devices have weathered their fair share of bugs. But it’s still surprising that the most prolific malware on macOS—by one count, affecting one in 10 devices—is so relatively crude.

This week, antivirus company Kaspersky detailed the 10 most common threats its macOS users encountered in 2019. At the top of the list: the Shlayer Trojan, which hit 10 percent of all of the Macs Kaspersky monitors, and accounted for nearly a third of detections overall. It’s led the pack since it first arrived in February 2018.

You’d think that such prevalence could only be achieved by comparable sophistication. Not so! “From a technical viewpoint Shlayer is a rather ordinary piece of malware,” Kaspersky wrote in its analysis. In fact, it relies on some of the oldest tricks in the books: convincing people to click on a bad link, then pushing a fake Adobe Flash update. Even the trojan’s payload turns out to be ho-hum: garden variety adware.

Shlayer’s brilliance, it turns out, lies less in its code than its method of distribution. The operators behind the trojan reportedly offer website owners, YouTubers, and Wikipedia editors a cut if they push visitors toward a malicious download. A complicit domain might prompt a phony Flash download, while a shortened or masked link in a YouTube video’s description or Wikipedia footnote might initiate the same. Kaspersky says it counted more than 1,000 partner sites distributing Shlayer. One individual, Kaspersky says, currently owns 700 domains that redirect to Shlayer download landing pages.

<more>