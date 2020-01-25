The popular misconception that Macs don’t get viruses has become a lot less popular in recent years because Apple devices have survived their share of the bugs. But it’s still surprising that the most productive malware on macOS – with one count, affecting one in 10 devices – is relatively gross.

This week, antivirus company Kaspersky described the 10 most common threats that its macOS users encountered in 2019. At the top of the list: the Shlayer Trojan, which affected 10 percent of all Mac’s Kaspersky monitors, accounting for nearly a third of the detections in general. It has been in charge since it first arrived in February 2018.

You would think that such a prevalence can only be achieved through comparable refinement. Not so! “From a technical point of view, Shlayer is a rather common piece of malware,” Kaspersky wrote in his analysis. In fact, it depends on some of the oldest tricks in the books: persuading people to click on a bad link and then push a fake Adobe Flash update. Even the load of the trojan turns out to be ho-hum: adware for garden varieties.

The shine of Shlayer, it turns out, is less in his code than in his distribution method. The operators behind the trojan reportedly offer website owners, YouTubers and Wikipedia editors a reduction if they push visitors to a malicious download. An accessory domain can cause a fake Flash download, while a shortened or masked link in the description of a YouTube video or a Wikipedia footnote can initiate the same. Kaspersky says it had more than 1,000 partner sites that distribute Shlayer. One person, says Kaspersky, currently owns 700 domains that redirect to download pages from Shlayer.

“Distribution is an essential part of any malware campaign and Shlayer shows that affiliate networks are pretty effective in this sense,” said Vladimir Kuskov, head of advanced threat research and software classification at Kaspersky.

Although Shlayer is simple, the adware that it installs – a wide variety, since Shlayer itself is only a delivery mechanism – can deploy at least a modest clever trick or two. In a copy of Cimpli adware that Kaspersky has observed, the malware first presents itself as another program, in this case Any Search. In the background, Cimpli attempts to install a malicious Safari extension and generates a fake “Installation Complete” window to hide the macOS security message that warns you about this. In other words, it misleads you into allowing it to run on your device.

Once you do that, the attacker can both intercept your searches and sow the results with his own ads. It is an annoyance, more than anything. But given that more than 100 million people use macOS, and it affects at least 10 percent of those with Kaspersky installed, it is reasonable to assume that millions of Mac users deal with it every year. Even if only a small percentage of those attempts are successful, it is apparently enough to keep the operation going.

“Apple is doing a great job by making their operating system more secure with every new release,” says Kuskov. “But it’s hard to prevent such OS-level attacks because it’s the user who clicks on a link and downloads and executes Shlayer, just like any other software.”

Although Flash may seem like an outdated temptation, given the countless public warnings about fallibility and the fact that it will die completely this year, it is actually perverted.

“I think the reason why fake Flash Players are so successful despite these facts is twofold,” said Joshua Long, chief security analyst at Intego, who first discovered Shlayer almost two years ago. “Habit and lack of awareness of the current status of Flash.”

