Nasty Mac malware is circulating on Google with you in its sights

MacBook Pro 16-Inch
(Image credit: Tom's Guide)

A new form of Mac malware spread via malicious Google search results has been discovered by Mac antivirus maker Intego.

The malware can get past Apple's some of security protections and antivirus software by masquerading as an Adobe Flash Player update -- but in this case, the Flash update is real.

This is a new variant of the Shlayer malware, which Intego discovered in 2018 and which has been causing havoc for Mac OS users ever since. Kaspersky estimated Shlayer was responsible for 30% of all Mac malware attacks in 2019.

Writing in a blog post, Intego chief security analyst Joshua Long explained how this new variant appears, as previous versions of Shlayer have, as an Adobe Flash Player installer.

He said: “After the deceptive Flash Player installer is downloaded and opened on a victim’s Mac, the disk image will mount and display instructions on how to install it. The instructions tell users to first 'right-click' on flashInstaller and select Open, and then to click Open in the resulting dialog box."

But at this point, it takes a different path than earlier Shlayer variants.

“If a user follows the instructions, the 'installer app' launches," Long added. "While the installer has a Flash Player icon and looks like a normal Mac app, it’s actually a bash shell script that will briefly open and run itself in the Terminal app.”

A bash shell is a Unix-compatible command-prompt framework, but the resulting Terminal window comes and goes so fast -- "a split second," Long writes -- that the user probably won't notice.

To trick users, a genuine Adobe Flash Player installer is downloaded onto the user’s Mac. The installer is "signed" with Adobe's Apple developer signature, so it will sail right past the Gatekeeper program that screens out unsigned software.

Meanwhile, the shell script also installs a hidden downloader that can install more malware and adware -- in other words, Shlayer.

Long explained that the developers’ decision to hide the downloader within a password-protected .zip file -- and in turn to hide that within a bash shell script - is a novel idea and "clear evidence" of "trying to evade detection by antivirus software.”

  • More: Protect your Apple PC with the best Mac VPN

Spreading like wildfire

Long explained that Intego’s research team came across this new Shlayer strain when searching for YouTube videos on Google. Clicking on a malicious search result would take the user to a page warning that Flash Player needed to be updated. 

"The same thing could happen with any search engine: Bing, Yahoo!, DuckDuckGo, Startpage, Ecosia, or any others," Long wrote.

The crooks used deceptive warnings and fake dialog boxes to trick people into downloading the updated version of Flash, which was actually malware. (Previous versions of Shlayer tended to use online ads rather than search-engine results to lure victims to malicious pages.)

Intego has since contacted Google to make it aware of the malicious search results, and claimed that its antivirus is only capable of tackling such malware. 

To protect yourself from Shlayer and similar Mac malware, don't update or install Adobe Flash Player, especially when a webpage prompts you to do so. Flash is being phased out, and not many websites use it any more. 

We'd normally tell you that the best Mac antivirus software will protect you from this new threat, but as Intego's blog post pointed out, very few of the antivirus malware-scanning engines listed on VirusTotal detect this new Shlayer variant yet.

TOPICS

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam