Nasty Mac malware is circulating on Google with you in its sights

MacBook Pro 16-Inch
(Image credit: Tom's Guide)

A new form of Mac malware spread via malicious Google search results has been discovered by Mac antivirus maker Intego.

The malware can get past Apple's some of security protections and antivirus software by masquerading as an Adobe Flash Player update -- but in this case, the Flash update is real.

This is a new variant of the Shlayer malware, which Intego discovered in 2018 and which has been causing havoc for Mac OS users ever since. Kaspersky estimated Shlayer was responsible for 30% of all Mac malware attacks in 2019.

Writing in a blog post, Intego chief security analyst Joshua Long explained how this new variant appears, as previous versions of Shlayer have, as an Adobe Flash Player installer.

He said: “After the deceptive Flash Player installer is downloaded and opened on a victim’s Mac, the disk image will mount and display instructions on how to install it. The instructions tell users to first 'right-click' on flashInstaller and select Open, and then to click Open in the resulting dialog box."

But at this point, it takes a different path than earlier Shlayer variants.

“If a user follows the instructions, the 'installer app' launches," Long added. "While the installer has a Flash Player icon and looks like a normal Mac app, it’s actually a bash shell script that will briefly open and run itself in the Terminal app.”

A bash shell is a Unix-compatible command-prompt framework, but the resulting Terminal window comes and goes so fast -- "a split second," Long writes -- that the user probably won't notice.

To trick users, a genuine Adobe Flash Player installer is downloaded onto the user’s Mac. The installer is "signed" with Adobe's Apple developer signature, so it will sail right past the Gatekeeper program that screens out unsigned software.

Meanwhile, the shell script also installs a hidden downloader that can install more malware and adware -- in other words, Shlayer.

Long explained that the developers’ decision to hide the downloader within a password-protected .zip file -- and in turn to hide that within a bash shell script - is a novel idea and "clear evidence" of "trying to evade detection by antivirus software.”

  • More: Protect your Apple PC with the best Mac VPN

Spreading like wildfire

Long explained that Intego’s research team came across this new Shlayer strain when searching for YouTube videos on Google. Clicking on a malicious search result would take the user to a page warning that Flash Player needed to be updated. 

"The same thing could happen with any search engine: Bing, Yahoo!, DuckDuckGo, Startpage, Ecosia, or any others," Long wrote.

The crooks used deceptive warnings and fake dialog boxes to trick people into downloading the updated version of Flash, which was actually malware. (Previous versions of Shlayer tended to use online ads rather than search-engine results to lure victims to malicious pages.)

Intego has since contacted Google to make it aware of the malicious search results, and claimed that its antivirus is only capable of tackling such malware. 

To protect yourself from Shlayer and similar Mac malware, don't update or install Adobe Flash Player, especially when a webpage prompts you to do so. Flash is being phased out, and not many websites use it any more. 

We'd normally tell you that the best Mac antivirus software will protect you from this new threat, but as Intego's blog post pointed out, very few of the antivirus malware-scanning engines listed on VirusTotal detect this new Shlayer variant yet.

TOPICS

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Malware & Adware
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
PayPal logo on iPhone
Watch out! Scammers are using this PayPal setting to take over your PC
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
Latest in News
Samsung Galaxy S23 Ultra
Older Samsung phones are finally getting One UI 7 — here's all the devices
A photo of Apple CarPly in use
Apple CarPlay just got a welcome upgrade in iOS 18.4 — what you need to know
the Orbea Denna on a gravel track
Orbea's new e-bike is designed to tackle both road and gravel — and you can build your own
An off-white pillow opened up halfway with the latex and fiber filling spilling outside
Coop Sleep Goods launches new Adjustable Latex Pillow — and it's 20% off for Sleep Week
Try Galaxy home screen on iPhone 16 Pro Max
You can now try Samsung's latest One UI 7 software on your iPhone — here's how
Asus ROG Ally X
Xbox handheld reportedly being made with Asus — all to take on Steam Deck