A recent report (covered by Ars Technica, WIRED, and others) claims that OSX/Shlayer—first discovered by Intego in February 2018—continues to be the most prolific Mac malware in the wild, with 1 in 10 Macs infected by it.
Although Intego does not currently maintain infection rate statistics of VirusBarrier X9 customers, our malware research team can confirm that Shlayer may be found far and wide: in high-ranking Google search results, in deceptive in-browser advertisements and alerts, on expired domains that have been purchased by malware distributors, and more.
So what does Shlayer malware look like? It is often delivered in the form of a fake Adobe Flash Player installer. That’s interesting for at least a couple of reasons.
Fake Flash Player installers are nothing new; Intego discovered the first variant of the now-infamous OSX/Flashback Trojan in September 2011, which was widely reported to have infected 600,000 Macs by April 2012, and there were still at least 22,000 Macs infected as of January 2014.
On the one hand, it may seem a bit surprising that fake Flash Player installers are still an effective Trojan horse. Shouldn’t everyone have learned their lesson nearly a decade ago, and started being more careful about Flash updates?
And moreover, who even uses Flash anymore? Adobe itself announced in July 2017 that it intended to terminate all Flash Player updates by December 31, 2020. The vast majority of sites that once relied on Flash-based content have converted to HTML5 or other multimedia formats.
Furthermore, many Web browsers have deprecated or completely dropped all support for Flash Player, with Safari for Mac evidently planning to stop supporting it in the next version. (Meanwhile, Safari for iOS has never supported Flash; you might remember the late Apple cofounder and CEO Steve Jobs’ essay, “Thoughts on Flash,” which he published in April 2010; in retrospect, his hard line stance against Flash may be one reason for its eventual demise.)
And yet, in spite all of these things, here we have the most prevalent Mac malware of the day continuing to find success in tricking victims into supposedly “updating their Flash Player.” How is this tactic still working?
As Jobs noted in his aforementioned Thoughts on Flash, the software had “one of the worst security records in 2009,” and was “the number one reason Macs crash,” in spite of Apple having worked with Adobe for “several years” to try to remedy these issues.
I recall that, at one point, it was not uncommon for Adobe to release multiple new Flash Player updates within the same month due to critical zero-day vulnerabilities being discovered (yet again) in the software, which meant that it had to be patched urgently lest it be exploited to spread malware.
Part of me wonders if the overly frequent update cycle of yore has anything to do with why users today are still so trigger-happy about installing supposed Flash Player updates whenever they’re prompted to; old habits die hard.
I also strongly suspect that most non-geeks are simply unaware that Flash is no longer useful or necessary, let alone that its final update is scheduled for later this year—all of which means that Flash Player (even the real one!) should be avoided like the plague.
One thing we all can do to help prevent fake-Flash Trojan horses from succeeding is to share these facts with others:
You can download a free trial of Intego’s ultimate Mac protection suite, Mac Premium Bundle X9, to scan your computer and activate realtime protection against OSX/Shlayer and all the latest Mac malware threats.
If you simply want to do a one-time scan, VirusBarrier Scanner is available in the Mac App Store.
Of course, eventually malware makers will find less success in tricking people into installing fake Flash Players, so they’ll switch tactics to some other Trojan horse. But at least in the mean time we can help our family, friends, and coworkers to avoid falling for fake-Flash installer/updater Trojans.
Please consider sharing a link to this article on Facebook, Twitter, or with anyone who may either benefit from it directly or who may find it useful to share with others in their sphere of influence.
Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.
And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the