News & Press Releases
OSX/Shlayer: New Mac malware comes out of its shell
Seattle, WA, FEBRUARY, 2018
Over the weekend, Intego researchers discovered multiple variants of new Mac malware, OSX/Shlayer, that leverages a unique technique.
Although malware that disguises itself as an update to Adobe Flash Player is nothing new, some of the latest incarnations of fake Flash Player installers have an unusual method of downloading additional content.
Intego researchers found OSX/Shlayer spreading via BitTorrent file sharing sites, appearing as a fake Flash Player update when a user attempts to select a link to copy a torrent magnet link.
Torrent sites are notorious for distributing malware and adware, sometimes through misleading advertisements, and sometimes through Trojan horse downloads that claim to be “cracks” or that may contain infected copies of legitimate software (watch our recent interview with Amit Serper or read our article Why BitTorrent Sites Are a Malware Cesspool to learn more about the dangers of torrent sites).
Even if you don’t use torrent sites, you may encounter other sites that claim you need to update Flash Player; in most cases, this is actually an attempt to install malware on your computer.
On some of the malware distribution pages, the fake Flash Player alerts are customized to your browser. If you’re using Mozilla Firefox, you may see an upward-facing arrow appear pointing to the browser toolbar that indicates that there is a recent download available to open.
If you’re using Google Chrome, you may see a pop-up message pointing to the bottom-left corner of the browser window where newly available downloads appear. Ironically, Google Chrome has its own built-in version of Flash Player that users don’t need to update manually; it gets updated automatically whenever Google issues an update for Chrome itself.
What does the malware do if installed?
The primary goal of OSX/Shlayer is to download and install adware onto an infected Mac.
Although “adware” may not sound like a big deal, it can be a lot more harmful than the name implies; be sure to watch our aforementioned interview with Amit Serper to learn more about one particular example of malicious Mac adware.
At least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of several Mac anti-virus products is installed.
What can I do if I think my computer is infected?
If you suspect that your computer might be infected, you can download VirusBarrier Scanner (free) from the Mac App Store to scan your computer for an existing infection.
We recommend installing antivirus software with real-time scanning protection, such as Intego VirusBarrier X9 (part of the Mac Premium Bundle X9 utility suite), to help block malware before an infection can occur.
Who’s behind this malware?
The variants of OSX/Shlayer discovered to date have been associated with Apple Developer Program accounts registered to one of three names: “Harper Natalie,” “Murphy Rachel,” or “Gennadiy Karshin.”
This does not necessarily mean that individuals by those names are the source of the malware; it’s possible to register for an Apple Developer Program account using a false identity. (At least the first two names are likely fake, given that Natalie and Rachel are typically given names, not surnames.)
Moreover, if a legitimate Apple Developer Program account has been compromised, a third party may exploit that account’s code signing capability for malicious purposes.
The domain names associated with this malware are registered using privacy screens, so little useful information about the domain registrants is obtainable via publicly searchable records.
Intego offers an award-winning line of products providing Mac security and enhancing Mac performance. Intego has been designing software to protect and optimize Apple products for over 17 years. No other company has been focused on Mac security and performance as long as Intego. Intego creates products for a full range of Mac and iOS devices, such as iPhones and iPads. Its depth of experience allows the company to create software that not only works well, but is elegant and intuitive. Much like a Mac.
Protect your Mac, your files and your family with the most comprehensive security suite available.
The Mac Resource Center teaches you all you need to know about keeping your Mac and family safe.Visit the Mac Resource Center
Interested in partnering with the Mac security specialist?