Although malware that disguises itself as an update to Adobe Flash Player is nothing new, some of the latest incarnations of fake Flash Player installers have an unusual method of downloading additional content.
Intego researchers found OSX/Shlayer spreading via BitTorrent file sharing sites, appearing as a fake Flash Player update when a user attempts to select a link to copy a torrent magnet link.
Even if you don't use torrent sites, you may encounter other sites that claim you need to update Flash Player; in most cases, this is actually an attempt to install malware on your computer.
On some of the malware distribution pages, the fake Flash Player alerts are customized to your browser. If you're using Mozilla Firefox, you may see an upward-facing arrow appear pointing to the browser toolbar that indicates that there is a recent download available to open.
If you're using Google Chrome, you may see a pop-up message pointing to the bottom-left corner of the browser window where newly available downloads appear. Ironically, Google Chrome has its own built-in version of Flash Player that users don't need to update manually; it gets updated automatically whenever Google issues an update for Chrome itself.
The initial Trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell scripts to download additional malware or adware onto the infected system.
Malware that downloads additional malicious or undesirable code is known as a dropper. Intego's research team observed OSX/Shlayer behaving as a dropper and installing OSX/MacOffers (also known as BundleMeUp, Mughthesec, and Adload) or OSX/Bundlore adware as a secondary payload.
There are three variants of the newly discovered malware, detected by Intego VirusBarrier as OSX/Shlayer.A, OSX/Shlayer.B, and OSX/Shlayer.C, that differ as follows:
Code signing is a process used by both legitimate app developers and malware makers. By adding a cryptographic digital signature to Mac software, a developer can enable their apps to more easily bypass Apple's Gatekeeper protection (which is closely associated with Apple's XProtect bad download blocker functionality). Signing an app also provides a direct link between that app and a registered member of the Apple Developer Program.
The primary goal of OSX/Shlayer is to download and install adware onto an infected Mac.
Although "adware" may not sound like a big deal, it can be a lot more harmful than the name implies; be sure to watch our aforementioned interview with Amit Serper to learn more about one particular example of malicious Mac adware.
At least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of several Mac anti-virus products is installed.
To prevent infection, avoid any "Flash Player" update alerts you may encounter on the Web; in most cases, these are actually false warnings intended to trick you into downloading and installing malware.
A fake Flash Player alert on a site distributing OSX/Shlayer
If you use Google's Chrome browser, it already has a built-in version of Flash Player, so you'll never need to obtain a newer version of the plugin from a third party.
If you use Apple's Safari browser, or Mozilla Firefox or other third-party Web browsers, you should bookmark https://get.adobe.com/flashplayer/ and only obtain Flash Player updates via that bookmark—that is, if you even need Flash Player in the first place.
If you accidentally download a fake Flash Player update and it comes as a .dmg (Mac disk image) file, don't double-click it! Simply drag it to the Trash, and then from the Finder menu (in the top-left corner of the screen, next to the Apple menu) select "Empty Trash..."
See also our article How to Tell if Adobe Flash Player Update is Valid for additional tips.
Users of Intego VirusBarrier X9 are already protected from all OSX/Shlayer variants that have been discovered in the wild.
We recommend installing antivirus software with real-time scanning protection, such as Intego VirusBarrier X9 (part of the Mac Premium Bundle X9 utility suite), to help block malware before an infection can occur.
WARNING: Do not attempt to connect to the domain names below; doing so may lead to infection!
Network administrators can check their organizations' Web traffic logs for attempts to connect to the following domains (or subdomains thereof) on port 80, which may indicate possible infection by either OSX/Shlayer or similar malware or adware campaigns that leverage the same domains:
The variants of OSX/Shlayer discovered to date have been associated with Apple Developer Program accounts registered to one of three names: "Harper Natalie," "Murphy Rachel," or "Gennadiy Karshin."
This does not necessarily mean that individuals by those names are the source of the malware; it's possible to register for an Apple Developer Program account using a false identity. (At least the first two names are likely fake, given that Natalie and Rachel are typically given names, not surnames.)
Moreover, if a legitimate Apple Developer Program account has been compromised, a third party may exploit that account's code signing capability for malicious purposes.
The domain names associated with this malware are registered using privacy screens, so little useful information about the domain registrants is obtainable via publicly searchable records.
Have something to say about this story? Share your comments below!