According to Kasperky Labs research shared this week, Shlayer malware has infected one in 10 macOS users. It typically installs via a fake Flash update that prompts users of websites with fake streaming TV shows and sports feeds. Shlayer is reportedly the most popular piece of malware on the macOS platform currently in terms of number of detections.
Most Common Malware on macOS
If Shlayer is so popular on macOS, a platform that used to be known as 'virus-free,' (likely due to its low user base, more than anything), then surely it must be a very advanced malware to keeps outsmarting both Apple and users, right? Not so.
The malware simply tricks users into thinking it’s an update for the Flash software necessary to play videos. Shlayer usually comes embedded in fake pirated online shows and live sports feeds that prompt someone to install the fake Flash update before the video can be streamed online. In fact, it’s one of the most common types of malware that we’ve seen in the past on the Windows platform, too.
The malware primarily targets the U.S. (31% of detections), Germany (14%), France (10%) and the and UK (10%).
Kaspersky's blog post said Shlayer is by far the most common malware family hitting macOS systems, representing 30% of all detections for the OS. Since 2018, when the security company first identified it, it's collected almost 30,000 samples of the trojan and identified 143 command and control (C&C) server domains.
How did Shlayer get so popular so quickly? It appears that the creators of Shlayer have gone with a bold promotion: pay those who install the malware on various video streaming sites a high commission fee. According to Kaspersky, the fee is significantly higher than what other malware families with similar monetization strategies pay.
The latest promotion technique for the malware seems to be using expired domains still featured on sites like YouTube and Wikipedia.
The next version of Safari will end support for the real Flash player for good, as will all the other major browsers, including Chrome and Firefox. This sort of social engineering shouldn’t work once people are aware that Flash can no longer work with their browser. However, the malware will likely continue to trick users for years, as not everyone stays abreast of the latest news in the Flash world.