macOS’ Shlayer trojan remained the OSes most popular in 2019. Kaspersky says it made up almost 30% of detections from the OS, with 32,000 different samples collected since its discovery in February 2018.

Shlayer has typically been spread through malicious advertising injected into legitimate websites. One example is a file host when trying to download pirated software, or a fake flash player ad when watching a tv show on a shady site. Clicking on the link will prompt users to download seemingly innocuous fake applications that hide its malicious code. Users are then hit by aggressive ads, where their browser searches are also modified to show ads.

Compared to some of the nasty Windows malware we’ve seen in recent times, it’s not too serious. However, in recent times, it seems the trojan downloader’s authors have been targetting users where they’re most comfortable.

Kaspersky discovered videos across YouTube that had links to malicious partner sites that would prompt a download. The same applied to the references in Wikipedia descriptions, which are used by many students and can be edited by anyone.

The researchers say Shlayer gives a relatively good payout to website owners for each install by a U.S. user. Its statistics also indicate that the infection is most common in the U.S., accounting for 31.39% of attacks, while Germany holds 13.76%, France 10.44%, and the UK 9.19%. I’d imagine this lines up somewhat with the popularity of mac devices across the world.

However, while Shlayer has been infecting users since 2018, its methods have changed somewhat. The latest variants use Python scripts rather than Bash ones, one providing data encryption and the other doing the bulk of the work.

Users can identify Shlayer through most major anti-virus solutions, or by checking for applications like Any Search or ManagementMark on their system. The malware won’t steal your credit card information right now, but it may soon evolve in a way that enables it to. Though the macOS is inherently harder to exploit than Windows, it’s important not to be complacent about suspicious links and software.