A malvertising campaign has been targeting Macs since at least mid-January, with at least a million machines exposed. The malicious ads lure users into updating their Adobe Flash players—but that update is really a downloader called Shlayer that opens up the Mac to even more malware. To evade malware screeners, the ads first load normally, but then draw in malicious content from a Firebase, a Google-hosted online data repository designed for mobile-app makers.
Unfortunately, not that many Mac antivirus brands recognized the Shlayer malware signature yet. As of this writing on Friday morning (March 22, 2019), only Bitdefender and their licensees and partners (Layer 7 Data Solutions) plus a couple of others. But dozens of other antimalware engines listed on the VirusTotal page for Shlayer’s signature let the malware slip by.
Our advice would be to ignore any pop-up windows suggesting that you update Flash Player, especially if you’re using Safari, which Shlayer seems to prefer. Go to the official Flash update page instead.
The million machines exposed weren’t necessarily infected. Their users just all had a malicious ad load in a browser window. The user would still have to click on the ad, and then click again to authorize the installation of the Flash Player “update” to become infected. Malvertisers often get people to click through by creating a sense of urgency or titillation with messages like “Click here to see the nude videos criminals have of YOU!”
Antivirus products often look for signs of potentially malicious code in ads and other browser components, and make a judgment call on whether to block the object even if it contains no known malware signature. Shlayer has been good at getting around that. When it first deployed in January, it buried malicious code directly in the images used in the ads so that the detection engines wouldn’t “see” the code. It’s now changed tactics: Instead of hiding the malicious code in plain sight, Shlayer sucks it in from Firebase, a repository for mobile-app data that is generally trusted because it’s a Google property. But if there’s one thing we’ve learned from 20-odd years of user-generated content, it’s that jerks tend to abuse trust by uploading nasty stuff to otherwise benign websites.
But, imagine if there was a way for you easily secure every device in your network infrastructure without sacrificing valuable resources that drive revenue to your business. Layer 7 Data Solutions makes it easy for small business owners to access cost-effective security solutions that detect advanced attacks and protects users everywhere they go on any network or any device.