The Sneaky Simple Malware That Hits Millions of Macs
The popular misconception that Macs don’t get viruses has become a lot less popular in recent years, as Apple devices have weathered their fair share of bugs. But it’s still surprising that the most prolific malware on macOS—by one count, affecting one in 10 devices—is so relatively crude.
This week, antivirus company Kaspersky detailed the 10 most common threats its macOS users encountered in 2019. At the top of the list: the Shlayer Trojan, which hit 10 percent of all of the Macs Kaspersky monitors, and accounted for nearly a third of detections overall. It’s led the pack since it first arrived in February 2018.
You’d think that such prevalence could only be achieved by comparable sophistication. Not so! “From a technical viewpoint Shlayer is a rather ordinary piece of malware,” Kaspersky wrote in its analysis. In fact, it relies on some of the oldest tricks in the books: convincing people to click on a bad link, then pushing a fake Adobe Flash update. Even the trojan’s payload turns out to be ho-hum: garden variety adware .
Shlayer’s brilliance, it turns out, lies less in its code than its method of distribution. The operators behind the trojan reportedly offer website owners, YouTubers, and Wikipedia editors a cut if they push visitors toward a malicious download. A complicit domain might prompt a phony Flash download, while a shortened or masked link in a YouTube video’s description or Wikipedia footnote might initiate the same. Kaspersky says it counted more than 1,000 partner sites distributing Shlayer. One individual, Kaspersky says, currently owns 700 domains that redirect to Shlayer download landing pages.
“Distribution is a vital part of any malware campaign, and Shlayer shows that affiliate networks are pretty effective in this sense,” says Vladimir Kuskov, head of advanced threat research and software classification at Kaspersky.
While Shlayer is simple, the adware it installs—a wide variety, since Shlayer itself is just a delivery mechanism—can deploy at least a modestly clever trick or two. In an instance of Cimpli adware that Kaspersky observed, the malware first poses as another program, in this case Any Search. In the background, Cimpli attempts to install a malicious Safari extension, and generates a fake “Installation Complete” notification window to cover up the macOS security notification that warns you against doing so. It tricks you, in other words, into granting permission to let it run amok on your device.
Once you do, the attacker can both intercept your search queries and seed the results with their own ads. It’s an annoyance, more than anything. But given that over 100 million people use macOS, and it hits at least 10 percent of those with Kaspersky installed, it’s reasonable to assume that millions of Mac users deal with it every year. Even if only a small percentage of those attempts prove successful, it’s apparently enough to keep the operation going.
“Apple does a great job making their OS more and more secure with every new release,” says Kuskov. “But it is hard to prevent such attacks on the OS level, since it's the user who clicks on a link and downloads Shlayer and runs it, like any other software.”
While Flash might seem like an outdated lure, given the numerous public warnings about its fallibility and the fact that it’s dying off completely this year anyway, it’s actually perversely effective.
“I think the reason why fake Flash Players are so successful, in spite of these facts, is twofold,” says Joshua Long, chief security analyst at Intego, which first discovered Shlayer nearly two years ago. “Force of habit, and lack of awareness of the current state of Flash.”
- The Garmin Hack Was a Warning
- German police can access any WhatsApp message without any malware
- Garmin global outage caused by ransomware attack, sources say
- Garmin Connect ransomware attack: What’s taking so long?
- Spy pixels are evolving like malware, so HEY’s adapting
- Malware stashed in China-mandated software is more extensive than thought
- A Man Who Found Stuxnet (2011)
- 木马程序借助游戏下载站再次传播 可云控投放恶意模块
- OSX.EvilQuest Uncovered
- 卡巴斯基报告：安卓系统 APP 中可疑广告模块应用
- An advanced and unconventional hack is targeting industrial firms
- 卡巴斯基实验室：2020Q1 IT威胁趋势报告
- Why is Eugene Kaspersky funding a travel accelerator during COVID-19?
- 卡巴斯基：2020Q1 DDoS攻击趋势报告
- 新的APT组织Wild Pressure正在瞄准中东的工业部门
- 卡巴斯基实验室：2019Q4 DDoS攻击趋势报告
- The Sneaky Simple Malware That Hits Millions of Macs