Skip to content

Shlayer trojan found in YouTube and Wikipedia, affecting macOS users

  • by
  • 3 min read

Shlayer trojan was the most commonly detected threat on macOS that affected one in ten Mac users in 2019, and accounts for nearly 30% of all detected malware in 2019, according to Kaspersky.

The researchers found several instances of the malware in the descriptions of YouTube articles as well as in the footnotes of Wikipedia articles. The malware also was found on advertising landing pages and prompted to install itself under the guise of Adobe Flash Player downloads.

The adware trojan (Trojan-Downloader.OSX.Shlayer.a) was first detected by the researchers in February 2018 and quickly became the most common malware affecting Mac systems. It spreads through fake apps ridden with malicious code.

In the initial stage, the trojan installs various adware on the PC, and then in the later stage, it spams the users with ads and also modifies browser searches without the users knowing to get results that could promote more of its advertisements.

Shlayer trojan found in YouTube and Wikipedia, affecting macOS users
Source: Kaspersky

One of the adware family (AdWare.OSX.Cimpli) that the researchers investigated installed a malicious extension in Safari that masked the OS security notification with a fake window that could trick the user into giving permissions to a malicious app or extension. These apps and extensions would then intercept and modify user searches by injecting scripts in the browser pages.”The attacker gains access to the user’s search queries and can modify the search engine results to display advertising. As a result, the user is inundated with unsolicited ads,” Kaspersky explained in its analysis. “These links were not added by the cybercriminals themselves: we found that all those malicious domains had recently expired, and, judging by the WHOIS data, they now belong to a single individual. On the websites, the newly minted owner posted a malicious script that redirects users to Shlayer download landing pages. There are already over 700 such domains in total.

While Shlayer trojan was the highest detected malware affecting Mac systems, the family of adware it installs includes other adware from Kaspersky’s list of top 10 threads for macOS users — AdWare.OSX.Bnodlero.q, AdWare.OSX.Geonei, and AdWare.OSX.Pirrit, which account for over 60% of the detected malware affecting Mac systems.

Shlayer attacks were primarily targeted against users in USA (31%), Germany (14%), France (10%) and UK (10%). 1.73% of the total attacks were targeted against Indian users.

While ransomware remains the most significant threat for government and corporate organisations, adware has become the most detected threat for consumers and it’s not limited to macOS.

Last year, active adware was found in 85 photography and gaming apps on the Google Play Store that were collectively downloaded over 8 million times. In a separate incident, CamScanner, a popular image to PDF creator and OCR app on Android’s Play Store with over 100 million downloads, was found shipping with malicious malware that can show ads and even sign up users for paid subscriptions, among other intrusive things.

In the News: Tinder partners with Noonlight to bring security updates on its app



Writes news mostly and edits almost everything at Candid.Technology. He loves taking trips on his bikes or chugging beers as Manchester United battle rivals. Contact Prayank via email: