The Shlayer Virus: How it Works and How to Protect Yourself


The Shlayer Virus: How it Works and How to Protect Yourself

Key Points:
  • The adware installed and downloaded by Shlayer forces advertising into Mac’s browser and can even intercept browser searches to modify the results to promote more ads.
  • The Shlayer Virus infects through a disguised Flash Player update, opening infected links or ads, downloading untrustworthy files or software, and clicking masked links via a loose network of the virus’ distributors.
  • Some top antivirus software for Mac users include: Total AV, Scan Guard, McAfee, Bitdefender, Norton, Avast, AVG, Malwarebytes, and Kapersky.

What is the Shlayer Virus?

The myth that Macs can’t get viruses is refuted by the Shlayer Virus.

Shlayer is a trojan virus specifically targeted toward Mac systems. Its primary function is to download malicious code via fake applications and flash updates. Once the Shlayer virus is installed on a system, it begins to download and install malware focused on the proliferation of ads, otherwise known as adware. The adware installed and downloaded by Shlayer forces advertising into Mac’s browser and can even intercept browser searches to modify the results to promote more ads.

The trojan adware installer was highlighted by antivirus firm Kaspersky in 2019. Kaspersky claims that the Shlayer virus made up 29% of all macOS device attacks by malicious code in its telemetry for the year. With such a high rate of infection, Shlayer is said to have been the number one malware threat to Mac devices for the year. Interestingly, Shlayer is not a worm that propagates itself to systems. Rather, it is an older type of malicious code that gains access by tempting Mac users to install it through nefarious means.

This traditional technique has been used by hackers since the early days of the internet. Flash Player exploits have long been known to be a key Achilles’ heel for cybersecurity. The success Shlayer has found on Mac devices is directly related to its simplicity. For a long time, Apple has claimed that Macs are impervious to malware, viruses, and other malicious code. It was one of the largest selling points for their devices. Due to this assurance by Apple, Mac users have set aside their safety concerns of their machine getting any type of infection.

As a result, they are more likely to trust malicious and clever attempts by hackers to tempt Mac users into installing untrustworthy software through Flash Player updates, phishing emails with links or attachments, infected websites, and affiliated links by content creators on some of the world’s most used websites like YouTube.

Once the Shlayer virus has been installed on Macs by a careless user, it is difficult to get rid of.

Adware Installed by Shlayer:

  • AdWare.OSX.Bnodlero
  • AdWare.OSX.Geonei
  • AdWare.OSX.Pirrit
  • AdWare.OSX.Cimpli

How Does the Shlayer Virus Work?

The Shlayer virus uses one of the oldest and favorite techniques of hackers. Instead of an automated process that proliferates on its own, it requires that users download the virus of their free will. Hackers get users to do this by disguising the download as a necessary function or desired software. The most common method is through a disguised Flash Player update. Other infection methods include opening infected links or ads, downloading untrustworthy files or software, and clicking one of the many masked links pushed by a loose network of the virus’ distributors.

The creators of the Shlayer trojan have increased their reach by offering YouTubers, website owners, and Wikipedia editors a percentage of gains created by malicious advertisements for pushing their viewers to install the trojan through whatever means they deem necessary. In some cases, complicit domains can even prompt Macs to download Shlayer as a fake Flash update or install. Kaspersky reports that more than 1,000 partner sites distribute Shlayer with one instance of an individual who owns 700 domains that redirect to Shlayer download pages.

Once Shlayer has been installed, it begins to do its intended work. The Shlayer trojan itself is a vehicle to deliver other malware. Its payloads typically include malicious adware. One of the most known payloads is Cimpli. Cimpli is an adware that is usually disguised as a Safari browser extension such as Any Search. It can intercept your search results and seed them with specific ads.

Shlayer is not a virus intended to damage Macs, but instead is a malevolent attempt at gathering advertisement money. By accruing popup ads and seeding search results with ad links, hackers generate an enormous amount of advertisement funds. While the exact amount of money made this way is unknown, the effects are enough to keep the network of affiliates who distribute the software operating.

Symptoms of a Shlayer Virus Infection

Shlayer is such a simple piece of malicious code that there are no detectable symptoms of infection. Mac users with an eye for safety will need to make use of antivirus software to scan, detect, and remove the trojan.

While Shlayer itself has no detectable symptoms, Mac users can look out for the symptoms of the payloads it installs. As this cybersecurity threat is mostly used to install adware, the obvious sign that your device has been infected is an unusual number of advertisements. Pop-ups are not typical of modern trusted websites, and neither is Flash.

Here are a few signs to look out for:

  • Heavy amount of advertisement pop-ups
  • Unusual search results filled with advertisements
  • Safari extensions that were not intentionally added by the user
computer virus detected

Shlayer adware forces advertising into Mac’s browser which can intercept browser searches to modify the results to promote more ads.

How to Get Rid of the Shlayer Virus

As previously stated, it can be difficult for an inexperienced user to remove Shlayer and other malware. This is by design. Hackers create their code so that the effects are not easily detectable. The best method to get rid of the Shlayer virus and other malware is to use trusted antivirus software. Software firms like Malwarebytes, Kaspersky, Avast, AVG, Norton, and Total AV are cybersecurity experts. Their experience with malware and the way it operates gives them an edge in detecting, preventing, and removing malware.

With the world connected to the internet, the proliferation of malware is always going to be a problem. Exploits are found every day, and hackers jump at the chance to take advantage of them for personal gain or even fun. You may consider yourself to be an IT expert, but there is always someone better. Don’t leave your Mac unprotected in a growing internet-connected world.

Every computer user should learn and practice safe online interactions. For the Shlayer virus, the best practice to always keep in mind is to be suspicious of external downloads, emails, bad links, and similar strategies. If something appears too good to be true, it probably is.

Here are some internet safety practices that help you keep your Mac safe from the most popular cybersecurity concerns:

  • Use creative and secure passwords
  • Don’t use the same password for every website
  • Be suspicious of downloads, pop-ups, and emails
  • Keep an eye on cybersecurity news and trends
  • Back up your device’s data
  • Update your software through traditional means only
  • Secure your wireless connections
  • Keep an active antivirus software or subscription
  • Avoid any Flash Player pop-ups

Learn more about the Shlayer Virus in this brief video from ManageEngine IAM and SIEM.

The Best Antivirus Software for the Shlayer Virus

The best method for the prevention of the Shlayer virus is the use of trusted antivirus software. Regardless of Apple’s claims that Macs are safety focused and impervious to malware, Mac users have become a major target of cybersecurity concerns. Even though the Shlayer virus has been primarily used for financial gain through advertisements, its method for installing unwanted payloads can easily be transitioned to much more nefarious means like keyloggers, remote access, and more.

The good news is that the Shlayer virus does rely on a simplistic method which makes it easily detectable by the most common antivirus software available. These services are a great method for malware prevention, especially when the effects of malware are difficult to detect by the untrained eye. While it is always recommended for anyone who interacts online to practice good habits and be wary of bad actors, good antivirus software can make malware prevention easy.

If you believe your Mac has already contracted malicious software such as Shlayer, it isn’t the best idea to attempt to find and get rid of it by yourself. Finding every part of a hacker’s code is often intentionally difficult. The best way to remove every aspect of the Shlayer virus is to leave it to the professionals.

Here are the top recommendations for antivirus software for Mac users:

McAfee Total Protection 2022 | 5 Device | Antivirus Internet Security Software | VPN, Password Manager, Dark Web Monitoring | 1 Year Subscription | Download Code
  • MCAFEE TOTAL PROTECTION IS ALL-IN-ONE PROTECTION – antivirus, security, identity, and privacy protection for 5 devices​ for 1 year
  • SECURE VPN – Stay private and secure on public Wi-Fi with VPN that can connect automatically when you need it
  • MONITOR UP TO 10 EMAILS ON THE DARK WEB - If your info is found we'll notify you so you can act before your info ends up in the wrong hands
  • CHECK THE HEALTH OF YOUR ONLINE PROTECTION – our industry-first Protection Score will identify weak spots and guide you to improve your security​
  • PASSWORD MANAGER - Secure your accounts by generating and storing complex passwords and auto-filling your info for faster logins across devices
We earn a commission if you make a purchase, at no additional cost to you.
01/19/2024 06:43 pm GMT
Great Features
Bitdefender Total Security 2023 – Complete Antivirus and Internet Security Suite – 5 Devices | 2 year Subscription | PC/Mac | Activation Code by Mail
  • Rated #1 by PC Mag for 2023
  • Compatible with Windows (8.0, 8.1, 10, and 11), Mac (macOS X Yosemite 10.10 and later), iOS (11.2 and later), and Android (5.0 and later)
  • Dedicated browser secures your online transactions
  • Advanced features like web protection tools, parental controls, file shredder, firewall, VPN, and anti-tracker
  • Will not automatically renew
We earn a commission if you make a purchase, at no additional cost to you.
01/18/2024 08:08 pm GMT
Excellent Customization Options
Norton AntiVirus Plus, 2023, Antivirus software for 1 Device with Auto-Renewal [Download]
  • Download and install instantly
  • Real-time protection from malware
  • Safely and securely store your passwords with password manager
  • Firewall blocks unauthorized traffic
  • 2GB of PC Cloud backup
We earn a commission if you make a purchase, at no additional cost to you.
01/18/2024 04:05 pm GMT
Avast Ultimate 2022 | Antivirus+Cleaner+VPN | 10 Devices, 1 Year [PC/Mac/Mobile Download]
  • Compatible with Windows (7, 8, 8.1, 10, and 11), Mac OS (10.12 Sierra and later), Android (6.0 and later), iOS (13.0 and later)
  • Additional features like a password manager, firewall, VPN, and web protection
  • Blocks spam and phishing emails
  • Protects your photos and personal files
  • Does not auto-renew unless you sign up for it
We earn a commission if you make a purchase, at no additional cost to you.
01/20/2024 04:33 am GMT

amazon box=”B07WFQSHC9″]

Malwarebytes Premium 4.5 Latest Version 2022 Antivirus Software | 5 Device 1 Year (PC, Mac, Android) [software_key_card]
  • PROTECTS YOUR DEVICES ON MULTIPLE PLATFORMS: Compatible with Windows, Mac, Android devices.
  • UNMATCHED THREAT DETECTION: We found malware on 29 percent of devices that already had a third-party antivirus installed. That’s the power of our innovative technology. We block sophisticated...
  • INCREDIBLY EASY TO USE: Our simple user interface enables you to fully control your protection to meet your needs without requiring technical expertise. You can schedule scans, adjust protection...
  • ADVANCED MALWARE, RANSOMWARE PROTECTION: Helps protect you from websites that download ransomware, steal login credentials, or run scams. Reduces your exposure to hackers and cyberthreats while...
  • PROACTIVE EXPLOIT, AND VIRUS PROTECTION: Protection from the financial and reputational risk posed by a ransomware attack. Shields your device and data from vulnerable and unpatched software until it...
We earn a commission if you make a purchase, at no additional cost to you.
01/19/2024 06:28 pm GMT

amazon box=”B076CWK6GD”]

Are you interested in learning about other computer viruses? Check out our complete guide!

Up Next…

Frequently Asked Questions

How does the Shlayer virus work?

The Shlayer virus is a simple trojan designed to act as a vehicle to install other malicious software. It gains access to a Mac device by tricking the user into clicking a bad link, installing untrustworthy software, or posing as a needed update to common applications like Flash Player.

Once the software has been installed, it begins to fetch its payload of adware like Cimpli, Pirrit, Geonei, or Bnodlero to force bad ads and seed your search results. These ads earn hackers money just like any other web-based advertisement. Software like Cimpli can even install itself as a Safari browser extension.

While most of the payloads delivered by Shlayer are targeted and malicious advertisement attempts, it’s important to remember that any malicious code can be delivered by the software once it gains access to your device. Shlayer itself only acts as a method of access to an otherwise secure macOS ecosystem. Like any other malware, this is making use of an unintended exploit to take advantage of you or your device.

What is an example of the Shlayer virus?

The Shlayer virus is the most prolific example of itself. It infected 29% of the users with Kaspersky in 2019. The closest known virus to Shlayer is called Bundlore.

Who created the Shlayer virus?

The original creator of the Shlayer virus is still unknown. However, it is known that over 1,000 separate affiliates are active online who help to push the software onto Mac users. The operators of the Shlayer virus offer YouTubers, website domains, and Wikipedia writers a percentage of funds gain through ads to push the software on their platform. One individual is known to have run 700 separate domains which all lead back to a Shlayer-based landing page.

The identities of perpetrators have not been revealed by cybersecurity researchers to the public. This is likely due to ongoing cybercrime investigations and law enforcement jurisdictions.

Where does the Shlayer virus come from?

Shlayer is thought to have first appeared in 2018. According to cybersecurity researchers at Intego, the first known group of malicious advertisers who delivered the Shlayer virus to unsuspecting users was VeryMal. VeryMal is a loose collective of bad actors who work together to spread malware both for fun and financial gain. The individuals involved in the group are not publicly known or advertised as the actions of the group are illegal.

VeryMal is responsible for more than just the Shlayer virus. The group is known to develop several malicious software programs and even found ways to distribute payloads through images.

How common is the Shlayer Virus on a Mac?

Kaspersky reported that 29% of its Mac users had at one time been infected by the Shlayer trojan. As Kaspersky is not installed on every Mac device, it is reasonable to assume that anywhere between 30% and 50% of Mac users have encountered Shlayer in some form. As the most prevalent malware in the macOS ecosystem, it is likely that some instances of infection have never been discovered.

To top