Shlayer Trojan – How a Social Engineering Attack Is Targeting 10% of Macs

The Shlayer Trojan is a remarkably persistent malware - one that has been affecting 1 in every 10 MacOS system since 2019. Although it first arrived in 2018, the malware is still going strong and is responsible for as much as 30% of all malware detected in MacOS in 2019, according to the antivirus software company Kaspersky.

The prevalence of the virus is largely due to the cleverness of the mode of propagation employed by its makers, even though the malware itself is relatively ordinary. Nonetheless, the high rates of infection are breaking the myth of supposed immunity that’s supposed to be inherent in Macs.

Perhaps that is for the better, because the best antidote to the spread of malware is user awareness, the lack of which is one of the carriers contributing to the spread of this pesky virus.

But what exactly is the key characteristic that has made Shlayer successful so far and given it such longevity? The answer is simplicity itself.

A Simple Virus Made Deadly by Affiliate Networks

Shlayer is a Trojan downloader that installs malware in the background, steals browsing information, and displays malicious ads.

The most unique feature of Shlayer Trojan is how its distribution is actively promoted by webmasters and content owners on completely legit platforms. For instance, it’s been reported that the makers of the virus built a whole network of affiliates consisting of YouTubers, Wikipedia contributors, and website owners, offering them a commission of $4 for leading people to fake flash downloads. Kaspersky counted more than 1,000 partner sites involved in the scheme.

The partners can prompt people to click on these malicious download links in multiple ways. For instance, a YouTuber could add a shortened link to the download in the video description while Wikipedia contributors utilize citations containing the dangerous link. A webmaster’s job is relatively easy: they can simply drop a prompt containing the said link.

While it is the oldest trick in hacker’s book to create a malicious link that unsuspecting users are tempted to click, allowing the virus to do its job and create havoc on your system from there, it is rare to see cases where cybercriminals turned a malware into full-fledged sustainable business model.

In this business model, the creators are primarily investors, offering $4 per install as commission to their partners who are themselves legitimate content producers. It stands to reason that the ensuing infection after a user clicks the harmful link must lead to significant monetization opportunities that justify the investment these cybercriminals have made.

Shlayer itself is just a carrier of payloads that consist of adware, forced redirects on the web, and other malware that track browser history. With these attacks, the cybercriminals could easily make a profit by rerouting user traffic to harmful pages on the web, stealing and selling browser histories, cookies, and caches to advertisers, and displaying sponsored ads.

While there’s no exact figure for how much of a profit they might have made, but if we consider the fact that they were happy to pay $4 as commission per install and that 10% of Macs are affected, even the most conservative estimate yields a profit figure of millions in USD.

The creators of the virus have certainly pulled off a masterstroke of social engineering leading to the continued existence of the virus and its high profit-potential.

Preventing the Attack

To be fair, it’s not Apple that can be blamed for an attack of this kind because the Trojan doesn’t emerge from any vulnerabilities within MacOS. That is the problem with social engineering attacks because their access points are users themselves rather than any hidden weaknesses within the system.

While security and privacy enhancing programs like anti-malware and VPNs can help stay safer on the web, there’s no intervention more effective than that which emerges from awareness. In the case of Shlayer, the perpetrators took advantage of user ignorance and – one might even say – relied on it to a great extent for this malware outbreak to be successful.

As mentioned previously, Shlayer uses fake Flash Players downloads to force its way within Macs. But what the public at large is unaware of is that Flash is an obsolete program and modern browsers don’t need Flash to access any form of online content today.

While using VPNs and anti-viruses is still extremely important to maintain security and privacy on your Mac, the single greatest cause behind a lot of malware outbreaks is user ignorance.

Most victims of the Shlayer virus are guilty of the same ignorance because they clicked on a link to download a phony Flash player. The truth is, you don’t need Flash in 2020 and if only more people were aware of this, it’s certain that Shlayer would not have been so wildly successful in infecting millions of Macs.

Therefore, the best piece of preventive action that you can take to avoid Shlayer and similar forms of malware is this: don’t click shady links! If a website wants you to download Flash Player or any other software in order to access a live stream through an unofficial channel or get something for free, it’s almost always a malicious link that can compromise your privacy and/or threaten the stability of your Mac.

It also helps to gather more information about the website you want to visit first. Search around the web to try and find out its reputation and any user comments to see if it is a website that people trust.

Finally, combine these common sense measures with a good anti-virus and VPN equipped with ad-blockers. This regimen should be adequate to avoid most forms of malware out there, especially those that rely on social engineering like Shlayer.

Bottom Line

MacOS is a robust operating system. But against human ignorance, the only cure is awareness. No OS, be it MacOS, Windows or others, is immune to the exploits of clever cybercriminals that deceive internet users for a living. The only foolproof way to avoid falling victim to the next virus that rears its head is to resist the temptation of clicking any suspicious download links appearing on unofficial websites. You’ll probably avoid more than half the malware crawling over the web without even realizing it.

Author’s Bio: Osama Tahir is a writer who covers online privacy, science, and the sociological impact of technology in modern times. He is a contributing author at MalwareBytes, Hackernoon, and BetaNews.