The malware specializes in installing adware.
Although macOS is traditionally seen as more secure, there are cyber criminals who are trying to get rich at the expense of its users. Kaspersky statistics show that a good example confirming this thesis is Shlayer – the most common threat to macOS in 2019.
This malware specializes in installation adware, i.e. programs that make users' lives bother by displaying unwanted ads, intercepting and collecting search engine queries, and modifying search results to spread even more unwanted resources.
How does infection come about?
The infection process usually consists of two phases – first the user installs Shlayer, and then the malware installs the selected type of adware. However, the device itself gets infected when the user unknowingly downloads a malicious program onto it. To this end, a system has been created to spread cybercriminal tools with numerous channels through which users download the malware.
Shlayer is used as a way of making money on websites in many criminal affiliate programs, and the relatively high reward for each installation of malware by US users has resulted in more than 1,000 "partner sites" spreading Shlayer.
This mechanism works as follows: when a user searches for, for example, an episode of a TV series or football match, the displayed ads redirect him to fake update pages Flash Player. There, the victim unknowingly downloads malware. For each such installation, the "partner" that has spread the links to the malware receives remuneration in the "pay-per-install" model.
Other methods rely on redirecting users to a fake Adobe Flash update page from various large online resources with a multi-million audience, including YouTube, where links to malicious websites have been included in the video descriptions. In addition, Kaspersky researchers have detected numerous links leading to more than 700 domains with malicious code in Wikipedia footnotes. Users who clicked on these links were redirected to Shlayer malware download pages.
Almost all websites leading to the fake Flash Player contained content in English. This reflects the top countries in terms of the percentage of users attacked by this threat – the United States (31%), Germany (14%), France (10%) and the United Kingdom (10%).