OSX/Shlayer is a potentially unwanted application that downloads and installs software on the computer.

Although malware that disguises itself as an update to Adobe Flash Player is nothing new, some of the latest incarnations of fake Flash Player installers have an unusual method of downloading additional content.

OSX/Shlayer spreads via BitTorrent file sharing sites, appearing as a fake Flash Player update when a user attempts to select a link to copy a torrent magnet link.

Torrent sites are notorious for distributing malware and adware, sometimes through misleading advertisements, and sometimes through Trojan horse downloads that claim to be “cracks” or that may contain infected copies of legitimate software.

Even if you don’t use torrent sites, you may encounter other sites that claim you need to update Flash Player; in most cases, this is actually an attempt to install malware on your computer.

BROWSER INDICATORS:

On some of the malware distribution pages, the fake Flash Player alerts are customized to your browser. If you’re using Mozilla Firefox, you may see an upward-facing arrow appear pointing to the browser toolbar that indicates that there is a recent download available to open.

If you’re using Google Chrome, you may see a pop-up message pointing to the bottom-left corner of the browser window where newly available downloads appear. Ironically, Google Chrome has its own built-in version of Flash Player that users don’t need to update manually; it gets updated automatically whenever Google issues an update for Chrome itself.

WHAT MALWARE DOES IF INSTALLED:

The primary goal of OSX/Shlayer is to download and install adware onto an infected Mac. Although “adware” may not sound like a big deal, it can be a lot more harmful than the name implies.

At least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of several Mac anti-virus products is installed.

HOW MAC USERS CAN PROTECT THEMSELVES FROM OSX/SHLAYER:

Avoid any “Flash Player” update alerts you may encounter on the Web; in most cases, these are actually false warnings intended to trick you into downloading and installing malware.

If you use Google’s Chrome browser, it already has a built-in version of Flash Player, so you’ll never need to obtain a newer version of the plugin from a third party.

If you use Apple’s Safari browser, or Mozilla Firefox or other third-party Web browsers, you should bookmark https://get.adobe.com/flashplayer/ and only obtain Flash Player updates via that bookmark—that is, if you even need Flash Player in the first place.

In fact, when you get a new computer the best practice is to avoid installing Flash Player in the first place. Few legitimate sites require Flash these days, and for the rare site that does, you can view the site in Google Chrome.

If you accidentally download a fake Flash Player update and it comes as a .dmg (Mac disk image) file, don’t double-click it!  Simply drag it to the Trash, and then from the Finder menu (in the top-left corner of the screen, next to the Apple menu) select “Empty Trash…

WHAT TO DO IF YOU’RE INFECTED:

If you suspect that your computer might be infected, you can download VirusBarrier Scanner (free) from the Mac App Store to scan your computer for an existing infection.

We recommend installing antivirus software with real-time scanning protection, such as Intego VirusBarrier X9 (part of the Mac Premium Bundle X9 utility suite), to help block malware before an infection can occur.

Author:  Jerry Amarteifio, systems and endpoint engineer