The Inevitability of “Shlayer”

 

We have repeatedly pointed out that the often proclaimed immunity of Macs to viruses and other malware is less a product of their security features and more a product of market forces. With Windows still dominating the personal computer space globally, it makes economic sense for attackers to focus on it.

In 2016 we predicted that “Hackers will likely increase targeting OS X machines as they continue to become more prominent as workstation machines for individuals and corporations.” With Kaspersky’s release of data on the Shlayer malware, it seems this prediction has now come true.

In this briefing, we will take a look at Shlayer, what makes it different, why it works and what users of macOS can do to protect themselves.


What is Shlayer?

Shlayer is malware that targets macOS machines. According to Kaspersky’s report, it likely affected one in every ten Macs since its release. That is an absurdly high number.

Even the Wannacry malware outbreak of 2017 which garnered widespread media attention only infected an estimated 200,000 Windows PCs - a fraction of a percentage point of the billions of PCs in use.


So Shlayer is super-advanced then?

Not at all. In fact, it’s about as simple as malware can get. 

It pretends to be an update for Adobe Flash that users are prompted to install. It explicitly does not exploit any vulnerability in Flash. It’s just malware that claims to the user that it is a Flash update. It doesn’t use any exploits, backdoors or other advanced techniques. The tricked user does all the work for it.


Then why is it so outrageously successful?

There are three reasons for the success of Shlayer

  1. Adobe Flash has a poor security record. This leads many users to install any “updates” immediately to prevent being hit by other malware.

  2. The update mechanism for Adobe Flash under macOS is cumbersome and intrusive. Most users are therefore very used to the constant popups that Flash prompts them to perform updates with. And since these popups are an almost weekly occurrence, most users click “install” without even thinking about them.

  3. A popular and long-held (mistaken) belief is that Macs cannot become infected with malware. While this was always wrong from a technical perspective and a few minor malware incidents have given most users at least a basic awareness of the risks, the average Mac user’s awareness of security threats is not nearly as high as that of the average Windows user. For better or for worse, Windows users have been bombarded with malware for the past 25 years. File hygiene, antivirus, and procedures for dealing with suspicious popups are ingrained into the minds of Windows users. Mac users did not have to seriously deal with any of this until recently. Thus, basic techniques that worked on Windows users 5 years ago are tremendously effective on Mac users today. However, it’s worse than that. The Windows users 5 years ago were already aware of the risks and the then-new techniques merely added a new layer to the ever-ongoing cat and mouse game between hackers and users. For many Mac users that awareness is completely missing. So in a way, we see the equivalent of first-time internet users from the 1990s being pitted against malware from 2015. 

The result of all three factors is a 10% infection rate.


So what can I do to protect myself?

The most obvious solution would appear to be antivirus software. However, this is at best a limited fix. Antivirus software is fallible and surprisingly bad at spotting new malware.

The best response to the proliferation of malware on macOS is to use Macs with the same care that you would use Windows PCs with.

Don’t click windows of apps that you didn’t open. Don’t trust anything you download. Read all warnings that the operating system shows you about untrusted software carefully and only click on “run anyway” if you are absolutely sure that you can trust the software and its developer. Lastly, keep your machine up to date with the latest version of macOS.

None of these will make any single computer perfectly safe from malware. But following these basic steps would have prevented 100% of Shlayer infections.