Shlayer is a trojan targeting macOS, first discovered in 2018. Shlayer is one of the most widespread macOS threats, accounting for nearly 30% of all macOS malware detections at its peak. It primarily serves as a dropper that installs adware and potentially unwanted programs. Shlayer gained notoriety for being accidentally notarized by Apple in 2020, allowing it to bypass Gatekeeper entirely. CoreLock detects this threat using CoreLock detects Shlayer through behavioral analysis of dropper installation patterns, YARA rules matching known Shlayer shell script signatures, monitoring for rapid sequential application installations typical of dropper chains, and code signing analysis flagging mismatched or revoked certificates.
Also known as: OSX.Shlayer, Shlayer Trojan
Shlayer is one of the most widespread macOS threats, accounting for nearly 30% of all macOS malware detections at its peak. It primarily serves as a dropper that installs adware and potentially unwanted programs. Shlayer gained notoriety for being accidentally notarized by Apple in 2020, allowing it to bypass Gatekeeper entirely.
Fake Adobe Flash Player update prompts on streaming and torrent sites
Malvertising on legitimate websites redirecting to fake update pages
Poisoned search results leading to fake software download portals
Compromised websites injecting fake browser update banners
Recently clicked a Flash Player update prompt on a website
New adware applications appearing that you did not install
Browser redirects to search engines you did not choose
Significantly increased number of ads across all websites
Remove any recently downloaded DMG or PKG files related to Flash Player from your Downloads folder and empty the Trash.
Check /Applications and ~/Applications for recently installed apps you do not recognize. Shlayer typically installs secondary adware like Pirrit, Cimpli, or AdWare.OSX.
Remove suspicious plist files from ~/Library/LaunchAgents and /Library/LaunchDaemons. Look for files created around the time the fake update was installed.
Reset Safari, Chrome, and Firefox to default settings to remove any injected search engines, homepages, or extensions installed by the Shlayer payload.
Run a full scan to detect any residual Shlayer components or secondary adware payloads that were installed alongside the initial dropper.
Adobe Flash Player is discontinued — any update prompt is malware, period
Install an ad blocker to prevent malvertising redirects
Only update software through the App Store or the application's built-in updater
Use CoreLock to detect dropper behavior before secondary payloads are installed
Real-time Detection
CoreLock detects Shlayer through behavioral analysis of dropper installation patterns, YARA rules matching known Shlayer shell script signatures, monitoring for rapid sequential application installations typical of dropper chains, and code signing analysis flagging mismatched or revoked certificates.
While Shlayer's prevalence has decreased since Flash Player's official discontinuation, variants continue to circulate using fake browser update prompts instead. The underlying distribution network remains active, making it an ongoing concern for Mac users.
In 2020, Apple accidentally notarized a Shlayer variant, meaning the malware passed Apple's automated security checks and was allowed to run without Gatekeeper warnings. Apple revoked the notarization quickly, but it highlighted limitations in automated malware screening.
Shlayer itself is a dropper — its job is to install other malware. Common payloads include AdLoad, Pirrit, Cimpli, and MiTMProxy-based adware. These inject ads into web pages, redirect searches, and install persistent browser extensions.
Download CoreLock to detect and remove Shlayer and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows