In 2019, Kaspersky prevented attacks by Shlayer, a malicious Trojan family, on at least 10% of devices using Kaspersky Mac protection solutions, making this threat the most widespread for MacOS users. An intelligent malware distribution system is spreading through a network of affiliates, entertainment websites, and even Wikipedia, proving that even users who visit only legitimate sites still need extra protection when online. Although macOS is considered to be a much safer system, there are still digital criminals trying to take advantage of users of this software. Based on Kaspersky statistics, Shlayer is a good example. It specializes in installing adware, programs that terrorize users by distributing illegal ads, intercepting and gathering searches from the user’s browser, modifying search results to deliver even more advertising messages. Shlayer’s percentage of total attacks on macOS devices recorded by Kaspersky products from January until November 2019 was almost 1/3 (29.28%).The “infection” process often consists of two stages, first the user installs Shlayer and then the malware installs a selected type of adware. However, the “infection” of the device starts with an unsuspecting user downloading the malware. In order to achieve installations, the malicious carrier behind Shlayer has created a malware distribution system with a number of channels that lead users to download the malware. Shlayer is offered as a way to monetize websites through various affiliate advertising programs, with relatively high pay for any malicious installation made by US users, with more than 1,000 “affiliate sites” distributing the Shlayer. This scheme works as follows; a user searches for a TV series episode or a football match and the ad pages redirect him to fake Flash Player update pages. From here the victim will download the malware. Thus, the distributor who distributes links to malware receives payment for each installation. Other systems lead to a fake Adobe Flash update page that redirects users from various major online services visited by millions of users, including YouTube, where links to the malicious site were included in video descriptions, and Wikipedia, where such links were hidden in the articles references. Users who clicked on these links were also redirected to Shlayer’s main download pages. Kaspersky researchers found 700 malicious domains, links to which were found on various legitimate websites. Almost all websites leading to a fake Flash Player had content in English, with the US (31%), Germany (14%), France (10%) and the United Kingdom (10%) being the countries that received the most attacks.

According to Anton Ivanov, security analyst at Kaspersky, the macOS platform is a good source of revenue for cybercriminals, who are constantly looking for new ways to mislead users, and are heavily using social engineering techniques to spread their malware. This case shows that such threats can be found even on legitimate websites. Fortunately for macOS users, the most widespread threats targeting macOS currently revolve around distributing illegal ads rather than something more dangerous, such as theft of financial data. A good internet security solution can protect users from threats like these by making the internet search experience safe and enjoyable.

To reduce the risk of being infected with Trojans such as Shlayer, Kaspersky recommends;

  • Install programs and updates only from trusted sources.
  • For more information on the entertainment site you are planning to visit; scan its name online and try to find reviews about it.
  • Use a trusted security solution.


Chris Poultsidis
Larissa TEAM