Nasty Mac malware is circulating on Google with you in its sights

MacBook Pro 16-Inch
(Image credit: Tom's Guide)

A new form of Mac malware spread via malicious Google search results has been discovered by Mac antivirus maker Intego.

The malware can get past Apple's some of security protections and antivirus software by masquerading as an Adobe Flash Player update -- but in this case, the Flash update is real.

This is a new variant of the Shlayer malware, which Intego discovered in 2018 and which has been causing havoc for Mac OS users ever since. Kaspersky estimated Shlayer was responsible for 30% of all Mac malware attacks in 2019.

Writing in a blog post, Intego chief security analyst Joshua Long explained how this new variant appears, as previous versions of Shlayer have, as an Adobe Flash Player installer.

He said: “After the deceptive Flash Player installer is downloaded and opened on a victim’s Mac, the disk image will mount and display instructions on how to install it. The instructions tell users to first 'right-click' on flashInstaller and select Open, and then to click Open in the resulting dialog box."

But at this point, it takes a different path than earlier Shlayer variants.

“If a user follows the instructions, the 'installer app' launches," Long added. "While the installer has a Flash Player icon and looks like a normal Mac app, it’s actually a bash shell script that will briefly open and run itself in the Terminal app.”

A bash shell is a Unix-compatible command-prompt framework, but the resulting Terminal window comes and goes so fast -- "a split second," Long writes -- that the user probably won't notice.

To trick users, a genuine Adobe Flash Player installer is downloaded onto the user’s Mac. The installer is "signed" with Adobe's Apple developer signature, so it will sail right past the Gatekeeper program that screens out unsigned software.

Meanwhile, the shell script also installs a hidden downloader that can install more malware and adware -- in other words, Shlayer.

Long explained that the developers’ decision to hide the downloader within a password-protected .zip file -- and in turn to hide that within a bash shell script - is a novel idea and "clear evidence" of "trying to evade detection by antivirus software.”

  • More: Protect your Apple PC with the best Mac VPN

Spreading like wildfire

Long explained that Intego’s research team came across this new Shlayer strain when searching for YouTube videos on Google. Clicking on a malicious search result would take the user to a page warning that Flash Player needed to be updated. 

"The same thing could happen with any search engine: Bing, Yahoo!, DuckDuckGo, Startpage, Ecosia, or any others," Long wrote.

The crooks used deceptive warnings and fake dialog boxes to trick people into downloading the updated version of Flash, which was actually malware. (Previous versions of Shlayer tended to use online ads rather than search-engine results to lure victims to malicious pages.)

Intego has since contacted Google to make it aware of the malicious search results, and claimed that its antivirus is only capable of tackling such malware. 

To protect yourself from Shlayer and similar Mac malware, don't update or install Adobe Flash Player, especially when a webpage prompts you to do so. Flash is being phased out, and not many websites use it any more. 

We'd normally tell you that the best Mac antivirus software will protect you from this new threat, but as Intego's blog post pointed out, very few of the antivirus malware-scanning engines listed on VirusTotal detect this new Shlayer variant yet.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!