A Single Malvertising Trojan Accounted for 30 Percent of Detections for macOS in 2019

A single malvertising Trojan conducted nearly 30% of all Mac malware attacks spotted last year by Kaspersky antivirus software, Kaspersky researchers said yesterday in an official blog post.

According to the report, the Shlayer Trojan remains the most common threat on the macOS platform, hitting 10 perfect of the computers running Apple’s operating system, and accounting for 29.2 percent of all detections that concern it.

“Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals,” reads the Kaspersky report. “The Trojan links even reside on legitimate resources — attackers are adept in the art of social engineering, and it is hard to predict how sophisticated the next deception technique will be.”

Shlayer is a trojan downloader, which spreads via fake applications that hide its malicious code, according to Kaspersky. Its main purpose is to fetch and install various adware variants. These second-stage samples bombard users with ads, and also intercept browser searches in order to modify the search results to promote yet more ads.

Kaspersky noted that the cybercriminals behind the code have set up an elaborate distribution system with a number of channels leading users to download the malware.

“Shlayer spreads via a partner network of thousands of websites, often targeting visitors of legitimate sites, including YouTube and Wikipedia,” Kaspersky explained. “YouTube, where links to the malicious website were included in video descriptions, and Wikipedia, where such links were hidden in the articles’ references.”

If you get infected by Shlayer, you’ll see many more ads pop up on your screen, some of which will tell you that you’re infected and need to buy (bogus) antivirus software. Your search results may be hijacked by strange search engines, and your browsing habits may be tracked by even more people than usual.

The silver lining, if there is one, is that Shlayer, despite being malware itself, is for now only interested in propagating adware, which is more annoying than harmful. But it could easily flip a switch and start installing truly dangerous Mac malware.