Kaspersky Lab Specialists toldthat in 2019, the most common threat to macOS users in the world (10% of users) and in Russia (12% of users) was the Shlayer Trojan, which specializes in installing adware.
For almost two years, Shlayer has been the most common threat for macOS: in 2019, every tenth user of the company's security solutions has encountered this malware at least once, and its share in relation to all detections on this OS is almost 30%. The first instances of the family fell into the hands of researchers back in February 2018, and so far almost 32,000 different malicious samples of the trojan have been collected, and 143 domains of management servers have been identified.
The trojan is spreading under the guise of updates for Adobe Flash Player. Most often, he tried to penetrate devices from sites that implement a scheme with the so-called advertising affiliate program. Within the framework of such a program, when downloading the necessary file to the user, anything can be installed on the device without his knowledge, including various undesirable software. Shlayer is also found on portals for viewing and downloading entertainment content. Users can get to the pages where it is located, including from large services. So, on YouTube, links to the malware are hidden in the descriptions for the videos, and on Wikipedia – in the text of the articles.
The largest number of Shlayer attacks falls on US users – 31%, followed by Germany – 14%, with 10% attacked by France and the UK. This is consistent with the terms of affiliate programs that supply the malware, as well as with the fact that almost all sites that lead to pages with a fake Flash player contained English-language content.
Most often, Shlayer family trojans download and install various advertising applications on a user's device. In addition, their functionality theoretically allows you to download programs that not only flood users with advertising, but also spontaneously open advertising pages in browsers and replace search results to load even more advertising messages.
Interestingly, from the moment Shlayer was first discovered, its operation algorithm has not changed much, and its activity has not decreased much: the number of detections at the moment remains at the same level as in the first months after the malware was detected.
“Contrary to the widespread misconception about the absolute security of the macOS platform, attackers are actively attacking its users using social engineering techniques to spread malware. Threats lurk, including on large sites that inspire confidence. At the moment, the ultimate goal of Shlayer’s attacks on Mac owners is mainly to display ads aggressively, but that doesn’t mean that the attackers will stop there, ”says Anton Ivanov, an antivirus expert at Kaspersky Lab.