What is the Shlayer Virus?

The myth that Macs can’t get viruses is refuted by the Shlayer Virus.

Shlayer is a trojan virus specifically targeted toward Mac systems. Its primary function is to download malicious code via fake applications and flash updates. Once the Shlayer virus is installed on a system, it begins to download and install malware focused on the proliferation of ads, otherwise known as adware. The adware installed and downloaded by Shlayer forces advertising into Mac’s browser and can even intercept browser searches to modify the results to promote more ads.

The trojan adware installer was highlighted by antivirus firm Kaspersky in 2019. Kaspersky claims that the Shlayer virus made up 29% of all macOS device attacks by malicious code in its telemetry for the year. With such a high rate of infection, Shlayer is said to have been the number one malware threat to Mac devices for the year. Interestingly, Shlayer is not a worm that propagates itself to systems. Rather, it is an older type of malicious code that gains access by tempting Mac users to install it through nefarious means.

This traditional technique has been used by hackers since the early days of the internet. Flash Player exploits have long been known to be a key Achilles’ heel for cybersecurity. The success Shlayer has found on Mac devices is directly related to its simplicity. For a long time, Apple has claimed that Macs are impervious to malware, viruses, and other malicious code. It was one of the largest selling points for their devices. Due to this assurance by Apple, Mac users have set aside their safety concerns of their machine getting any type of infection.

As a result, they are more likely to trust malicious and clever attempts by hackers to tempt Mac users into installing untrustworthy software through Flash Player updates, phishing emails with links or attachments, infected websites, and affiliated links by content creators on some of the world’s most used websites like YouTube.

Once the Shlayer virus has been installed on Macs by a careless user, it is difficult to get rid of.

Adware Installed by Shlayer:

  • AdWare.OSX.Bnodlero
  • AdWare.OSX.Geonei
  • AdWare.OSX.Pirrit
  • AdWare.OSX.Cimpli

How Does the Shlayer Virus Work?

The Shlayer virus uses one of the oldest and favorite techniques of hackers. Instead of an automated process that proliferates on its own, it requires that users download the virus of their free will. Hackers get users to do this by disguising the download as a necessary function or desired software. The most common method is through a disguised Flash Player update. Other infection methods include opening infected links or ads, downloading untrustworthy files or software, and clicking one of the many masked links pushed by a loose network of the virus’ distributors.

The creators of the Shlayer trojan have increased their reach by offering YouTubers, website owners, and Wikipedia editors a percentage of gains created by malicious advertisements for pushing their viewers to install the trojan through whatever means they deem necessary. In some cases, complicit domains can even prompt Macs to download Shlayer as a fake Flash update or install. Kaspersky reports that more than 1,000 partner sites distribute Shlayer with one instance of an individual who owns 700 domains that redirect to Shlayer download pages.

Once Shlayer has been installed, it begins to do its intended work. The Shlayer trojan itself is a vehicle to deliver other malware. Its payloads typically include malicious adware. One of the most known payloads is Cimpli. Cimpli is an adware that is usually disguised as a Safari browser extension such as Any Search. It can intercept your search results and seed them with specific ads.

Shlayer is not a virus intended to damage Macs, but instead is a malevolent attempt at gathering advertisement money. By accruing popup ads and seeding search results with ad links, hackers generate an enormous amount of advertisement funds. While the exact amount of money made this way is unknown, the effects are enough to keep the network of affiliates who distribute the software operating.

Symptoms of a Shlayer Virus Infection

Shlayer is such a simple piece of malicious code that there are no detectable symptoms of infection. Mac users with an eye for safety will need to make use of antivirus software to scan, detect, and remove the trojan.

While Shlayer itself has no detectable symptoms, Mac users can look out for the symptoms of the payloads it installs. As this cybersecurity threat is mostly used to install adware, the obvious sign that your device has been infected is an unusual number of advertisements. Pop-ups are not typical of modern trusted websites, and neither is Flash.

Here are a few signs to look out for:

  • Heavy amount of advertisement pop-ups
  • Unusual search results filled with advertisements
  • Safari extensions that were not intentionally added by the user

How to Get Rid of the Shlayer Virus

As previously stated, it can be difficult for an inexperienced user to remove Shlayer and other malware. This is by design. Hackers create their code so that the effects are not easily detectable. The best method to get rid of the Shlayer virus and other malware is to use trusted antivirus software. Software firms like Malwarebytes, Kaspersky, Avast, AVG, Norton, and Total AV are cybersecurity experts. Their experience with malware and the way it operates gives them an edge in detecting, preventing, and removing malware.

With the world connected to the internet, the proliferation of malware is always going to be a problem. Exploits are found every day, and hackers jump at the chance to take advantage of them for personal gain or even fun. You may consider yourself to be an IT expert, but there is always someone better. Don’t leave your Mac unprotected in a growing internet-connected world.

Every computer user should learn and practice safe online interactions. For the Shlayer virus, the best practice to always keep in mind is to be suspicious of external downloads, emails, bad links, and similar strategies. If something appears too good to be true, it probably is.

Here are some internet safety practices that help you keep your Mac safe from the most popular cybersecurity concerns:

  • Use creative and secure passwords
  • Don’t use the same password for every website
  • Be suspicious of downloads, pop-ups, and emails
  • Keep an eye on cybersecurity news and trends
  • Back up your device’s data
  • Update your software through traditional means only
  • Secure your wireless connections
  • Keep an active antivirus software or subscription
  • Avoid any Flash Player pop-ups

The Best Antivirus Software for the Shlayer Virus

The best method for the prevention of the Shlayer virus is the use of trusted antivirus software. Regardless of Apple’s claims that Macs are safety focused and impervious to malware, Mac users have become a major target of cybersecurity concerns. Even though the Shlayer virus has been primarily used for financial gain through advertisements, its method for installing unwanted payloads can easily be transitioned to much more nefarious means like keyloggers, remote access, and more.

The good news is that the Shlayer virus does rely on a simplistic method which makes it easily detectable by the most common antivirus software available. These services are a great method for malware prevention, especially when the effects of malware are difficult to detect by the untrained eye. While it is always recommended for anyone who interacts online to practice good habits and be wary of bad actors, good antivirus software can make malware prevention easy.

If you believe your Mac has already contracted malicious software such as Shlayer, it isn’t the best idea to attempt to find and get rid of it by yourself. Finding every part of a hacker’s code is often intentionally difficult. The best way to remove every aspect of the Shlayer virus is to leave it to the professionals.

Here are the top recommendations for antivirus software for Mac users:

Sale
McAfee Total Protection 2022 | 5 Device | Antivirus Internet Security Software | VPN, Password Manager, Dark Web Monitoring | 1 Year Subscription | Download Code
  • AWARD WINNING ANTIVIRUS: Rest easy knowing McAfee’s protecting you from the latest threats
  • PROTECT YOUR IDENTITY:  We'll monitor your life online, from bank account numbers, credit cards, to your emails and more.
  • BROWSE CONFIDENTLY AND PRIVATELY: Secure VPN keeps your info safe from prying eyes
  • SEE HOW SAFE YOU ARE BEING ONLINE: Get your personalized protection score, identify weaknesses and get help to fix them.
  • BANK, SHOP and CONNECT WORRY-FREE: be warned about risky websites before you click
Bitdefender Total Security 2022 – Complete Antivirus and Internet Security Suite – 5 Devices | 2 year Subscription | PC/Mac | Activation Code by Mail
  • SPEED-OPTIMIZED, CROSS-PLATFORM PROTECTION: World-class antivirus security and cyber protection for Windows (Windows 8, Windows 8.1, Windows 10, and Windows 11), Mac OS (macOS X Yosemite 10.10 or later), iOS (11.2 or later), and Android (5.0 or later). Organize and keep your digital life safe from hackers
  • SAFE ONLINE BANKING: A unique, dedicated browser secures your online transactions; Our Total Security product also includes 200MB per day of our new and improved Bitdefender VPN
  • ADVANCED THREAT DEFENSE: Real-Time Data Protection, Multi-Layer Malware and Ransomware Protection, Social Network Protection, Game/Movie/Work Modes, Microphone Monitor, Webcam Protection, Anti-Tracker, Phishing, Fraud, and Spam Protection, File Shredder, Parental Controls, and more
  • NO CREDIT CARD REQUIRED: Subscription does not automatically renew (unless your account was previously set up to do so)
  • ECO-FRIENDLY PACKAGING: Your product-specific code is printed on a card and shipped inside a protective cardboard sleeve. Simply open packaging and scratch off security ink on the card to reveal your activation code. No more bulky box or hard-to-recycle discs
Sale
Norton AntiVirus Plus, 2023 Ready, Antivirus software for 1 Device with Auto-Renewal - Includes Password Manager, Smart Firewall and PC Cloud Backup [Download]
  • ONGOING PROTECTION Download instantly & install protection for your PC or Mac in minutes!
  • REAL-TIME THREAT PROTECTION Advanced security protects against existing and emerging malware threats, including ransomware and viruses, and it won’t slow down your device performance
  • PASSWORD MANAGER Easily create, store, and manage your passwords, credit card information and other credentials online – safely and securely
  • SMART FIREWALL Monitors communications between your computer and other computers and blocks unauthorized traffic, helping protect your personal files and financial information
  • 2GB SECURE PC CLOUD BACKUP store and help protect important files as a preventative measure to hard drive failures, stolen devices and even ransomware***
Avast Ultimate 2022 | Antivirus+Cleaner+VPN | 10 Devices, 1 Year [PC/Mac/Mobile Download]
  • THE ULTIMATE SUITE: Security, privacy, and performance in one all-powerful premium package.
  • AVAST PREMIUM SECURITY: The ultimate in antivirus protection.
  • AVAST SECURELINE VPN: The ultimate in online privacy.
  • AVAST CLEANUP PREMIUM: The ultimate PC junk blaster.
  • AVAST ANTITRACK PREMIUM: The ultimate in online anonymity.

amazon box=”B07WFQSHC9″]

Malwarebytes Premium 4.5 Latest Version 2022 Antivirus Software | 5 Device 1 Year (PC, Mac, Android) [software_key_card]
  • PROTECTS YOUR DEVICES ON MULTIPLE PLATFORMS: Compatible with Windows, Mac, Android devices.
  • UNMATCHED THREAT DETECTION: We found malware on 29 percent of devices that already had a third-party antivirus installed. That’s the power of our innovative technology. We block sophisticated cyberthreats that other programs miss, providing an effective way to secure your devices and data.
  • INCREDIBLY EASY TO USE: Our simple user interface enables you to fully control your protection to meet your needs without requiring technical expertise. You can schedule scans, adjust protection layers, and choose your desired scan mode. Protecting your devices shouldn’t be complicated.
  • ADVANCED MALWARE, RANSOMWARE PROTECTION: Helps protect you from websites that download ransomware, steal login credentials, or run scams. Reduces your exposure to hackers and cyberthreats while protecting your devices and data.
  • PROACTIVE EXPLOIT, AND VIRUS PROTECTION: Protection from the financial and reputational risk posed by a ransomware attack. Shields your device and data from vulnerable and unpatched software until it can be updated. Malwarebytes finds more threats compared to traditional antivirus programs so you can restore your device quickly to its pre-infection state.

amazon box=”B076CWK6GD”]

Are you interested in learning about other computer viruses? Check out our complete guide!

Last update on 2022-11-09 / Affiliate links / Images from Amazon Product Advertising API

The Shlayer Virus: How it Works and How to Protect Yourself FAQs (Frequently Asked Questions) 

How does the Shlayer virus work?

The Shlayer virus is a simple trojan designed to act as a vehicle to install other malicious software. It gains access to a Mac device by tricking the user into clicking a bad link, installing untrustworthy software, or posing as a needed update to common applications like Flash Player.

Once the software has been installed, it begins to fetch its payload of adware like Cimpli, Pirrit, Geonei, or Bnodlero to force bad ads and seed your search results. These ads earn hackers money just like any other web-based advertisement. Software like Cimpli can even install itself as a Safari browser extension.

While most of the payloads delivered by Shlayer are targeted and malicious advertisement attempts, it’s important to remember that any malicious code can be delivered by the software once it gains access to your device. Shlayer itself only acts as a method of access to an otherwise secure macOS ecosystem. Like any other malware, this is making use of an unintended exploit to take advantage of you or your device.

What is an example of the Shlayer virus?

The Shlayer virus is the most prolific example of itself. It infected 29% of the users with Kaspersky in 2019. The closest known virus to Shlayer is called Bundlore.

Who created the Shlayer virus?

The original creator of the Shlayer virus is still unknown. However, it is known that over 1,000 separate affiliates are active online who help to push the software onto Mac users. The operators of the Shlayer virus offer YouTubers, website domains, and Wikipedia writers a percentage of funds gain through ads to push the software on their platform. One individual is known to have run 700 separate domains which all lead back to a Shlayer-based landing page.

The identities of perpetrators have not been revealed by cybersecurity researchers to the public. This is likely due to ongoing cybercrime investigations and law enforcement jurisdictions.

Where does the Shlayer virus come from?

Shlayer is thought to have first appeared in 2018. According to cybersecurity researchers at Intego, the first known group of malicious advertisers who delivered the Shlayer virus to unsuspecting users was VeryMal. VeryMal is a loose collective of bad actors who work together to spread malware both for fun and financial gain. The individuals involved in the group are not publicly known or advertised as the actions of the group are illegal.

VeryMal is responsible for more than just the Shlayer virus. The group is known to develop several malicious software programs and even found ways to distribute payloads through images.

How common is the Shlayer Virus on a Mac?

Kaspersky reported that 29% of its Mac users had at one time been infected by the Shlayer trojan. As Kaspersky is not installed on every Mac device, it is reasonable to assume that anywhere between 30% and 50% of Mac users have encountered Shlayer in some form. As the most prevalent malware in the macOS ecosystem, it is likely that some instances of infection have never been discovered.

About the Author

More from History-Computer

  • wired Available here: https://www.wired.com/story/macos-shlayer-trojan-adware/
  • tech crunch Available here: https://techcrunch.com/2021/04/26/shlayer-mac-malware-macos-security/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuYmluZy5jb20v&guce_referrer_sig=AQAAANvjjkc1QDMM74SkQawSsvD2akScYcBwjaafmn6PzzSWEjLUG9LMAUG3kPM94YlLbFYp7x1JRLP74gFJAR4zVQ4DJ1JOU2HbR2U7REuTfvNcjlQLJJzdzy8VRpV-mwrKumOJpPw4LXWRjGk3LJC__xgMvUIf52gbqQTxbKZwSAk7
  • how to remove Available here: https://howtoremove.guide/remove-shlayer-malware-mac/#:~:text=Shlayer%20is%20a%20noxious%20Trojan%20Horse%20virus%2C%20which,the%20unsuspecting%20online%20users%20into%20clicking%20on%20it.
  • pc risk Available here: https://www.pcrisk.com/removal-guides/14355-shlayer-trojan-mac
  • cyber.nj.gov Available here: https://www.cyber.nj.gov/threat-center/threat-profiles/macos-malware-variants/shlayer
  • crowd strike Available here: https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/
  • red canary Available here: https://redcanary.com/threat-detection-report/threats/shlayer/
  • intego Available here: https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/
  • threat post Available here: https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/#:~:text=Shlayer%20is%20a%20trojan%20downloader%2C%20which%20spreads%20via,the%20search%20results%20to%20promote%20yet%20more%20ads.
  • mac update Available here: https://www.macupdate.com/how-to/shlayer-trojan-mac