The malicious ads lure users into updating their Adobe Flash players—but that update is really a downloader called Shlayer that opens up the Mac to even more malware. To evade malware screeners, the ads first load normally, but then draw in malicious content from a Firebase, a Google-hosted online data repository designed for mobile-app makers.
Unfortunately, not that many Mac antivirus brands recognized the Shlayer malware signature yet. As of this writing on Thursday afternoon (March 21), the corporate siblings Avast and AVG did, as did Avira and Bitdefender and their licensees (Emsisoft, F-Secure, GData and Qihoo 360), plus a couple of others. But dozens of other antimalware engines listed on the VirusTotal page for Shlayer's signature let the malware slip by.
Our advice would be to ignore any pop-up windows suggesting that you update Flash Player, especially if you're using Safari, which Shlayer seems to prefer. (Go to the official Flash update page at https://get.adobe.com/flashplayer/ (opens in new tab) instead.) Alternately, you could use an ad blocker.
The million machines exposed weren't necessarily infected. Their users just all had a malicious ad load in a browser window. The user would still have to click on the ad, and then click again to authorize the installation of the Flash Player "update" to become infected. Malvertisers often get people to click through by creating a sense of urgency or titillation with messages like "Click here to see the nude videos criminals have of YOU!"
Antivirus products often look for signs of potentially malicious code in ads and other browser components, and make a judgment call on whether to block the object even if it contains no known malware signature.
Shlayer has been good at getting around that. When it first deployed in January, it buried malicious code directly in the images used in the ads so that the detection engines wouldn't "see" the code.
It's now changed tactics: Instead of hiding the malicious code in plain sight, Shlayer sucks it in from Firebase, a repository for mobile-app data that is generally trusted because it's a Google property. But if there's one thing we've learned from 20-odd years of user-generated content, it's that jerks tend to abuse trust by uploading nasty stuff to otherwise benign websites.
"The Firebase code looks very similar to typical vanilla ad tech," Confiant security researcher said in a company blog post. "The comparison is a great illustration of how in just a short amount of time the game has changed, and these days it's all about subtle payload delivery."