Steganography – Mac malware: Attackers successfully hide malware in ad images


Malware campaigns have become quite regular on Apple devices and as per the new report from Confiant, a cyber-security firm, there’s a new group on the block called that is specifically targeting Apple users through malvertising.

The group called VeryMal has employed steganography technique this time to prevent detection and hide the malicious code in an advertisement’s images.

The campaign has been analyzed by both Confiant and Malwarebytes and the researchers believe that it has been active since January 11 and lasted until January 13.

The infected ad was viewed over 5 million times during the time that it was active.

Ad viewers claim that the campaign involved a tried-and-tested tactic of displaying a notification that the user needs to update the Adobe Flash Player and to do this the user has to open a file to download the new version.

Whoever accepted the download ended up running malware on their Mac and the device was infected with the Shlayer Trojan.

“As malvertizing detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables,” Confiant researcher Eliya Stein revealed.

It is a noteworthy attempt from VeryMal because usually, attackers find it difficult to evade the numerous protection layers of the ad networks and user desktops.

But, VeryMal successfully hides the payload within the ad’s graphics file using steganography.

The code can create a Canvas object, extract an image file from a certain URL, and create a function to check if the browser supports a particular font.

Attackers successfully hide Mac malware in ad images

The results of payload executed by the advertising-based malware attack

In case the font check fails, the campaign won’t work, but if it is successful then the image file’s underlying data is looped through and each loop determines a pixel value that later becomes an alphanumeric character.

The character is later converted into a string and executed.

However, despite harboring the payload, the image is harmless itself if someone views it and only becomes harmful when the malicious code is executed and the browser is redirected to a link containing the payload.

Mac users are urged to remain alert and don’t pay heed to all the online notifications that they see on their desktop screens because it may be a part of malvertising campaign.

They should specifically be wary of notices that ask users to install software updates and provide an unofficial link for the download.

What happens in steganography is that hackers extract the file and hide malicious code in image’s User Comment EXIF metadata field.

This is not the first time that hackers have used steganography technique to drop malware.

Just last month, researchers discovered two memes hiding commands in their metadata with the help of steganography spreading malware on Twitter. 

In another attack, malicious images were hosted on GoogleUserContent CDN using steganography, however, what’s shocking is that these attacks are not limited to computer users.

Back in 2016, steganography was also used for deploying over 60 malicious applications on Play Store.

How to remove “Shlayer” from Mac?

What is “Shlayer”?

Shlayer is a trojan-type virus designed to proliferate various adware/potentially unwanted applications (PUAs) and promote fake web search engines.

It typically disguises as Adobe Flash Player installer, as well as various software cracking tools.

In most cases, users typically encounter this virus when visiting unreliable Torrent websites that are full of intrusive advertisements and deceptive downloads.

Shlayer scam

Using Torrent and other deceptive sites as a malware distribution channel is very common among cyber criminals.

These persons present viruses as legitimate software, thereby tricking users into running malicious executables.

Shlayer is one of these viruses.

It is designed to promote a variety of adware, unwanted applications, and fake web search engines.

Shlayer typically promotes the following products: Chumsearch Safari web browser extension (which assigns certain browsers’ settings to and disables users from reverting these changes), MyShopCoupon and mediaDownloader adware, Advanced Mac Cleaner, Mac Cleanup Pro and MyMacUpdater unwanted applications.

Just like the aforementioned Chumsearch extension, Shlayer is also designed to assign installed browsers’ (such viruses typically target Safari, Google Chrome and Mozilla Firefox) new tab URL, default search engine, and homepage options to, or

Besides, there’s a huge variety of other potentially unwanted applications that are based on the aforementioned Advanced Mac Cleaner (e.g., Mac Speedup Pro, Mac Tweak, MacRapidizer, Mac-Mechanic, and many others).

All of them are developed by the same people, which means that Shlayer might be used to promote these PUAs as well.

One way or another, Shlayer might cause a variety of issues.

Adware-type applications are designed to deliver intrusive advertisements which lead to malicious websites and/or execute scripts designed to download/install malware.

This means that even a single accidental click might result in high-risk system infection.

Moreover, adware and fake search engines are designed to record various information relating to user’s web browsing activity.

List of collected data types usually includes (but it is not limited to) IP addresses, website URLs visited, pages viewed, search queries, and geo-locations.

The problem is that collected information usually includes personal details, which are shared with third parties (potentially, cyber criminals).

These persons generate revenue by misusing received data, hence, information tracking might result in serious privacy issues or even identity theft.

In some cases, fake search engines feed users with misleading search results that might also lead to malicious sites. Having unwanted applications like Advanced Mac Cleaner may lead to financial losses.

These applications typically perform fake system scans and display false results that contain long lists of viruses and issues that must be removed/solved immediately.

However, free versions of these apps usually aren’t capable of doing so, which is why users are encouraged to purchase the advanced version. What’s more important is that these applications are very likely to give no real value – they typically do nothing but clean the false list and that’s it.

Distinguishing Shlayer is not very difficult. First of all, it is distributed using questionable websites.

Moreover, it’s installer typically contains a variety of unwanted applications/fake search engines that are hidden behind “Custom/Advanced” settings.

Once the installation starts, Shlayer typically delivers a pop-up window asking for permissions to change browsers’ settings.

In order to grant these permissions users need to enter their logins and passwords. Some Shlayer’s variants are designed to display a full-screen installation window which cannot be moved, minimized or closed.

This is being done to prevent users from force-quitting the installation of they get suspicious.

In addition, the installation of unwanted applications typically leave a variety of traces (a.k.a. created files/entries in various directories).

In summary, Shlayer is not a sophisticated malware and it is rather easy to distinguish it’s presence.

High-end viruses do not have user-friendly interface which even allows users to decide whether to install something or not – they typically work in the background, without user’s consent.

How did Shlayer infiltrate my computer?

As mentioned above, vast majority of Shlayer’s samples are distributed using Torrent websites.

Cyber criminals present malicious Adobe Flash Player installers and software cracks as legitimate, while in reality users end up running Shlayer. In some cases, Shlayer samples that are disguised as Adobe Flash Player installer/updater are promoted using fake-error displaying websites.

These sites deliver deceptive messages claiming that user’s Adobe Flash Player is missing or outdated and encourages users to immediately install/update it.

However, the result is ultimately the same.

One way or another, its users’ lack of knowledge and reckless behavior that typically leads to Shlayer’s infection – they are the ones who run various files downloaded from unreliable sources.

How to avoid installation of potentially unwanted applications?

In order to prevent such computer infections users must be very cautious when browsing the Internet and downloading /installing/ updating software.

Always remember that intrusive advertisements typically look completely appropriate.

Once clicked, however, ads expose themselves by redirecting to unreliable websites, such as gambling, adult dating, pornography, and similar.

If you encounter any of these ads/redirects, then immediately remove all suspicious applications and browser plug-ins. Moreover, be sure to download software only from official sources, using direct download links.

Third party downloaders/installers are often used to promote rogue apps, which is why such software should never be used. Same rule applies to software updates.

It is important to keep installed programs up-to-date. However, this should be achieved through implemented functions or tools provided by the official developer only.

Having a reputable anti-virus/anti-spyware suite installed and running is also paramount, because such tools are very likely to detect and eliminate malware before it does any harm.

The key to computer safety is caution.

If your computer is already infected with PUAs, we recommend running a scan with Spyhunter for Windows to automatically eliminate them.

Appearance of rogue Shlayer installation setup promoting and Mac Cleanup Pro (GIF):

Shlayer installation setup

Another variant of Shlayer installer setup promoting

Shlayer trojan pretending to be Adobe Flash Player

List of files/entries created by some variants of Shlayer trojan:

  • /Applications/Advanced Mac Cleaner
  • /Applications/MyMacUpdater
  • /Applications/MyShopcoupon
  • /Applications/mediaDownloader
  • /Library/LaunchAgents/com.MyMacUpdater.agent.plist
  • /Library/LaunchAgents/com.MyShopcoupon.agent.plist
  • /mm-plugin.dylib
  • /myshopcoupon.safariextz
  • ~ Library/Application Support/amc
  • ~ Library/Caches/
  • ~ Library/LaunchAgents/com.pcv.hlpramcn.plist
  • ~ Library/Safari/Extensions/Chumsearch+.safariextz

IMPORTANT NOTE! Shlayer is designed to create a new device profile.

Therefore, before taking any further removal steps, perform these actions:
1) Click the “Preferences” icon in the menu bar and select “Profiles

Shlayer preferences step 1

2) Select the “AdminPrefs” profile and delete it.

Shlayer preferences step 2

3) Perform a full system scan with Combo Cleaner anti-virus suite.

After performing these actions, you can proceed with further removal steps.

Instant automatic removal of OSX/Shlayer virus:

Manual threat removal might be a lengthy and complicated process that requires advanced computer skills.

Spyhunter is a professional automatic malware removal tool that is recommended to get rid of OSX/Shlayer virus.

Quick menu:

  • What is “Shlayer”?
  • STEP 1. Remove PUA related files and folders from OSX.
  • STEP 2. Remove rogue extensions and redirects from Safari.
  • STEP 3. Remove rogue add-ons and redirects from Google Chrome.
  • STEP 4. Remove potentially unwanted plug-ins and redirects from Mozilla Firefox.

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your “Applications” folder:

mac browser hijacker removal from applications folder

Click the Finder icon. In the Finder window, select “Applications“. In the applications folder, look for “MPlayerX“,”NicePlayer“, or other suspicious applications and drag them to the Trash.

After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Remove osx/shlayer virus related files and folders:

Finder go to folder command

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder…


Check for adware-generated files in the /Library/LaunchAgents folder:

removing adware from launch agents folder step 1

In the Go to Folder… bar, type: /Library/LaunchAgents

removing adware from launch agents folder step 2

In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash.

Examples of files generated by adware – “installmac.AppRemoval.plist”, “”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.


Check for adware generated files in the /Library/Application Support folder:

removing adware from application support folder step 1

In the Go to Folder… bar, type: /Library/Application Support

removing adware from application support folder step 2

In the “Application Support” folder, look for any recently-added suspicious folders. For example, “MplayerX” or “NicePlayer”, and move these folders to the Trash.


Check for adware-generated files in the ~/Library/LaunchAgents folder:

removing adware from ~launch agents folder step 1

In the Go to Folder bar, type: ~/Library/LaunchAgents

removing adware from ~launch agents folder step 2

In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash.

Examples of files generated by adware – “installmac.AppRemoval.plist”, “”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.


Check for adware-generated files in the /Library/LaunchDaemons folder:

removing adware from launch daemons folder step 1

In the Go to Folder… bar, type: /Library/LaunchDaemons

removing adware from launch daemons folder step 2

In the “LaunchDaemons” folder, look for recently-added suspicious files.

For example “”, “”, “”, “com.avickUpd.plist”, etc., and move them to the Trash.

step 5

 Scan your Mac with Combo Cleaner:

If you have followed all the steps in the correct order you Mac should be clean of infections. To be sure your system is not infected run a scan with Combo Cleaner Antivirus.

After downloading the file double click combocleaner.dmg installer, in the opened window drag and drop Combo Cleaner icon on top of the Applications icon.

Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates it’s virus definition database and click “Start Combo Scan” button.


Combo Cleaner will scan your Mac for malware infections.

If the antivirus scan displays “no threats found” – this means that you can continue with the removal guide, otherwise it’s recommended to remove any found infections before continuing.


After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

OSX/Shlayer virus removal from Internet browsers:

Remove malicious extensions from Safari:

Remove osx/shlayer virus related Safari extensions:

safari browser preferences

Open Safari browser, from the menu bar, select “Safari” and click “Preferences…”.

safari extensions window

In the preferences window, select “Extensions” and look for any recently-installed suspicious extensions.

When located, click the “Uninstall” button next to it/them.

Note that you can safely uninstall all extensions from your Safari browser – none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements – Reset Safari.

Remove malicious plug-ins from Mozilla Firefox:

Remove osx/shlayer virus related Mozilla Firefox add-ons:

accessing mozilla firefox add-ons

Open your Mozilla Firefox browser. At the top right corner of the screen, click the “Open Menu” (three horizontal lines) button. From the opened menu, choose “Add-ons“.

removing malicious add-ons from mozilla firefox

Choose the “Extensions” tab and look for any recently-installed suspicious add-ons.

When located, click the “Remove” button next to it/them. Note that you can safely uninstall all extensions from your Mozilla Firefox browser – none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements – Reset Mozilla Firefox.

Remove malicious extensions from Google Chrome:

Remove osx/shlayer virus related Google Chrome add-ons:

removing malicious google chrome extensions step 1

Open Google Chrome and click the “Chrome menu” (three horizontal lines) button located in the top-right corner of the browser window. From the drop-down menu, choose “More Tools” and select “Extensions“.

removing malicious Google Chrome extensions step 2

In the “Extensions” window, look for any recently-installed suspicious add-ons. When located, click the “Trash” button next to it/them. Note that you can safely uninstall all extensions from your Google Chrome browser – none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements – Reset Google Chrome.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.