Shlayer Malware

Shlayer is a type of macOS malware that has been targeting Mac users for the past few years. It’s a Trojan downloader that often disguises itself as an installer for applications like Adobe Flash Player. Its primary objective is to spread adware and other unwanted applications, bombard users with ads, and modify their browser searches with these ads.


Discovering that your Mac has been infected by malware is a stressful experience, but it’s a frequent occurrence with the most common Mac viruses. Panic is the most natural reaction when you suspect your Mac has been infected. You may imagine losing all your data, having your identity stolen, or your bank accounts being hacked.


Despite the fear, it’s possible to remove malware from MacBook. In this article, our team of experts will provide you with all the information you need to know about the Shlayer malware and how to combat it.

Before we start:


“Prevention is better than cure” is a wise saying, but it’s not very helpful when your Mac has already been infected with malware. In such situations, MacKeeper’s Antivirus is an excellent tool to have. It can identify and eliminate all types of malware, including Trojans, in real time and with high efficiency.


Here’s how to use MacKeeper’s Antivirus:

  1. Download and launch the MacKeeper app.
  2. Select Antivirus from the left-hand sidebar, under Security.
  3. Click Start Scan.
  4. If threats are found, select them and click Move to Quarantine.
  5. Click Restart and wait until the MacKeeper app launches again.
  6. Click Quarantine, select all threats, then click Delete.

What is Shlayer malware

Despite the discontinuation of Flash Player in December 2020, Shlayer continues to be a prevalent cyber threat to Apple’s Mac operating system. Users often fall victim to this malware by visiting doggy Torrent pages, which is an obvious threat to their privacy.


Once it infiltrates your Mac, this malware attempts to modify your computer’s behavior by executing various macOS commands that grant this Trojan privileges to manipulate the machine code. The next step is to install adware, typically AdLoad, which spreads intrusive advertisements.

Shlayer malware at a glance

Threat typeTrojan, adware
DistributionSoftware installers, Torrent file downloads, pop-up ads
SymptomsUnwanted pop-up ads, website redirects, slower Mac performance
DamageUnwanted ads, website redirects, web browsing tracking, privacy and personal data breach

How does Shlayer malware work

Shlayer is a trojan-type virus that can infect Mac computers through a malicious download. Cybercriminals who distribute Shlayer typically use Torrent-like download sites to spread the malware. However, they’ve also targeted users of legitimate websites such as YouTube or Wikipedia.


The process of being infected by Shlayer looks like the following:

  1. A user unknowingly downloads the infected downloader.
  2. Then, they’ll be prompted to run an installer that is actually a disguised Python script.
  3. This script will then infiltrate the Mac and collect the information necessary. Then, it’ll download the ZIP file containing the Shlayer trojan.
  4. The second phase of infection starts when a malicious extension called Management Mark, disguised as a Mac utility, is installed on the user’s web browser.
  5. This extension tracks the user’s online searches.
  6. The extension also creates fake redirects that trick victims into viewing illicit advertising.

How did Shlayer malware infiltrate your computer

Shlayer usually infiltrates a computer through Torrent and similar websites. Users install the virus directly onto their computer when they’re prompted with fake Flash Player alerts, opening the door for cybercriminals.

Is Shlayer malware dangerous

Can websites give you viruses? Shlayer is an example of that. It’s a type of malicious software that can infect your computer when you visit seemingly harmless websites. While it may not be as dangerous as other viruses that aim to steal your identity and hack your bank accounts, it can still cause significant harm:

  • Shlayer is a Trojan that targets its victims with illicit advertising, which can be very annoying and intrusive.
  • The ads can also direct you to malicious websites or install other, more dangerous malware on your computer without your knowledge.
  • Shlayer can even track your online activity and sell your data to third parties without your permission.
  • Another concerning issue with Shlayer is that it can lead you to download fake applications promoting a phony service.

Note from our experts: 


Shlayer is  especially dangerous when it comes to fake antivirus software, as it may trick you into paying for a premium version that offers no real value. In reality, these fake software programs don’t remove real malware—the list of issues is fake. To protect yourself, download MacKeeper’s Antivirus.

What is the purpose of Shlayer malware

Shlayer is a type of malware that targets macOS systems. Its primary objective is to spread adware, unwanted applications, and fake search engines. However, this Trojan has a two-phase approach. In the first phase, it uses these tools to infiltrate your system. In the second phase, it’ll leverage adware, apps, and browsers to inject additional harmful payloads that can cause severe damage to your Mac.

How to recognize Shlayer malware

If you’ve recently downloaded a Torrent file and are now seeing an abundance of unwanted ads and pop-ups, it’s possible that your Mac has been infected by malware. The other telltale signs of it include:

  • Shlayer is known to promote adware like mediaDownloader, MyShopCoupon, and the Safari extension Chumsearch.
  • You may also notice that a new browser has been installed and has become your default search engine. If you look back, you may have entered your login details during the installation process, which gave the malware permission to alter your browser settings.
  • Shlayer malware can also install unwanted apps. The trojan is used to promote applications like Mac-Mechanic, MacRapidizer, Mac Speedup Pro, and Mac Tweak.

How to remove Shlayer malware from macOS manually

All is not lost, and, as is always the case when you want to remove malware from browser on Mac, it’s possible to get rid of the Shlayer malware on your macOS. Let’s see how to do it manually:

  1. Delete files and folders related to adware
  2. Remove fake extensions and redirects from Safari
  3. Delete malicious extensions and redirects from Google
  4. Get rid of fake extensions and redirects from Firefox
  5. Delete malicious extensions and redirects from Opera

1. Delete files and folders related to adware

First, you need to find all adware-related files and folders that the Shlayer malware may have installed on your Mac. Follow these steps to remove potentially infected items on your Mac:

  1. Go to Finder.
  2. Click Go from the menu bar, then select Go to Folder… from the dropdown menu.
  3. Type /Library/LaunchAgents/ and press Enter.
  4. Look for suspicious files.
  5. Right-click on them, then choose Move to Trash.
  6. Repeat steps 3-5 but, instead, type the following: /Library/Application Support, and /Library/LaunchDaemons.
  7. Go to the Trash, click Empty, then Empty Trash to remove the suspicious items permanently.
To delete adware-related files and folders, launch the Go to Folder feature on Mac.
Step 1. Launching the Go to Folder… feature
To remove suspicious files and folders, open the LaunchAgents, ApplicationSupport, and LaunchDaemons folders.
Step 2. Finding the LaunchAgents, ApplicationSupport, and LaunchDaemons folders
To remove adware-related files and folders, right-click on them, then select Move to Bin/Trash.
Step 3. Moving suspicious files and folders to the Bin/Trash
To remove suspicious files and folders permanently, go to the Trash, click Empty, then confirm by clicking Empty Trash.
Step 4. Deleting suspicious files and folders permanently

2. Remove fake extensions and redirects from Safari

Next, you should remove fake extensions that may have been installed on your web browsers without your knowledge. Let’s start with Safari, developed by Apple itself. Here’s how to remove fake extensions in Safari:

  1. Launch Safari on your Mac.
  2. Select Safari from the menu bar, then choose Settings.
  3. Go to the Extensions tab.
  4. Find and choose the fake extension you want to remove, then click Uninstall.
  5. In the new pop-up window, click Show in Finder.
  6. When a new Finder window opens, right-click the app, then select Move to Trash to uninstall the app the extension is part of.
To delete fake extensions from Safari on Mac, launch the Settings panel from the menu bar.
Step 1. Launching the Safari Settings panel
To continue with deleting suspicious extensions in Safari, select the fake extension from the Extensions tab and click the Uninstall button.
Step 2. Uninstalling a fake extension from Safari’s Extensions tab
To remove the companion app from a suspicious extension from Safari on Mac, click Show in Finder in the pop-up window.
Step 3. Launching Finder to uninstall the suspicious extension’s companion app
To get rid of Safari's fake extension’ companion app on Mac, right-click the app and select Move to Bin/ Trash.
Step 4. Moving the fake extension’s companion app to the Bin/Trash

How to delete fake extensions from Safari using a third-party app

Removing fake Safari extensions manually can be counterproductive, as it might be difficult to identify whether an extension is dangerous or not. It’s best to use a third-party app to get rid of them. To remove suspicious Safari add-ons with MacKeeper’s StopAd tool:

  1. Launch the MacKeeper app.
  2. Select StopAd from the left sidebar, under Privacy.
  3. Click the Open button.
  4. Click the Enable button next to Safari extension to install it.
  5. Click Open Safari Preferences and, on the new window, check all the boxes in the Extensions tab.
  6. Go back to the MacKeeper app, then click the Turn on button next to Safari extension.
To delete fake extensions in Safari, open the StopAd tool within the MacKeeper app.
Step 1. Opening the StopAd tool in the MacKeeper app
To stop fake extensions from installing on your Mac, enable the StopAd extension.
Step 2. Enabling the Safari extension
To remove suspicious content from Safari, open the Safari preferences panel.
Step 3. Opening the Safari Preferences panel
To install StopAd’s Safari extension, check all the boxes in Safari’s Extensions tab.
Step 4. Checking all the boxes in Safari’s Extensions tab
To enable StopAd’s Safari extension, click on the Turn on button.
Step 5. Turning on the StopAd’s Safari extension

3. Delete malicious extensions and redirects from Google

Google is the most popular web browser, and if you also use it on your Mac, Shlayer infection may have caused malicious extensions to be installed on the app. Below, we’ll show you how to remove dangerous extensions in Google:

  1. Launch the Chrome app on your Mac.
  2. Click on the three vertical dots icon in the top right corner of your screen.
  3. Click Extensions from the first dropdown menu, then select Manage Extensions from the second one.
  4. After your Chrome extensions page opens, find the malicious extension you want to get rid of.
  5. On the extension, click the Remove button.
  6. Click Remove again to confirm.
To delete malicious extensions from Chrome on Mac, click the three-dot icon on the browser and choose Manage Extensions.
Step 1. Launching Chrome’s extensions settings
To remove malicious add-ons from Chrome on Mac, click the Remove button on the extension’s box.
Step 2. Deleting a malicious extension from Chrome
To get rid of a fake extension from Chrome on Mac, click the Remove button to confirm your decision.
Step 3. Confirming you want to remove the fake extension

How to get rid of malicious extensions from Google using a third-party app

Deleting all the Google extensions you find suspicious one by one is a good way to start getting rid of the Shlayer malware on your Mac, but you’ll need to go a step further if you want to do a proper clean-up, namely, using a cleaning app. To get rid of all malicious browser extensions, use MacKeeper’s Smart Uninstaller tool:

  1. Open MacKeeper on your Mac.
  2. Select Smart Uninstaller from the sidebar, under Cleaning.
  3. Click Start Scan and wait until it’s complete.
  4. Click Browser Extensions from the list, then select Google Chrome on the right.
  5. Unfold the list of Google Chrome extensions and check those you don’t recognize or suspect are malicious.
  6. Click Remove Selected.
To remove suspicious extensions from Chrome, launch MacKeeper’s Smart Uninstaller, then click Start Scan.
Step 1. Opening Smart Uninstaller and starting the scan
To delete extensions from Chrome, select any suspicious ones and click Remove Selected.
Step 2. Selecting and removing suspicious Chrome extensions

4. Get rid of fake extensions and redirects from Firefox

Even if you don’t use Firefox often, as long as it’s installed on your Mac, it may be at risk of being threatened by the Shlayer Trojan. Therefore, our experts recommend checking for any unwanted and/or fake extensions and removing them. This is how you can get rid of fake Firefox add-ons on a Mac:

  1. Launch Firefox on your Apple device.
  2. Click on the hamburger button at the top right corner.
  3. Click Add-ons and themes.
  4. Go to the Extensions tab.
  5. Find the extension you want to delete, then click on the three-dot icon.
  6. Select Remove from the dropdown menu.
  7. Confirm by clicking Remove again.
To delete suspicious extensions from Firefox on Mac, click the three-bar icon, then select Add-ons and themes.
Step 1. Launching the Add-ons and themes menu
To remove fake extensions from Firefox on Mac, click Remove on the extension.
Step 2. Deleting a fake extension from Firefox
To delete a suspicious extension from Firefox on Mac, click Remove to confirm.
Step 3. Confirming you want to remove the extension

How to remove fake extensions from Firefox using a third-party app

To remove fake extensions from Firefox, you can use a third-party cleaning such as MacKeeper and, more specifically, its Antivirus and Smart Uninstaller tools found in the suite. For your comfort, we’ll leave the instructions on how to use both of them in other sections of this article.

5. Delete malicious extensions and redirects from Opera

If you use Opera on your Mac, either as your primary or secondary browser, it’s imperative that you check if Shlayer has installed any malicious extensions without you noticing. It's a very simple process. Find out below how to delete malicious add-ons in Opera:

  1. Open Opera on your Mac.
  2. In the bottom left corner, click on the three-dot icon.
  3. The Sidebar Setup will open.
  4. Scroll down and click Extensions under Opera Tools.
  5. In the new window, find the unwanted extension and click Remove.
  6. Click Remove from the confirmation dialog in the top right corner.
To remove an unrecognized extension from Opera on Mac, click the three-dot icon on the browser and select Extensions under Opera Tools.
Step 1. Opening the Extensions settings in Opera
To delete unknown extensions from Opera on Mac, click the Remove button on the extension.
Step 2. Removing a suspicious extension from Opera
To rid of any suspicious extension from Opera on Mac, click the Remove button to confirm you want to remove it.
Step 3. Confirming you want to remove the extension

How to delete malicious extensions from Opera using a third-party app run

The MacKeeper suite can also help you get rid of malicious Opera extensions. Its Antivirus and Smart Uninstaller tools are perfect for stopping the Shlayer infection, as well as removing the fake browser add-ons installed on your browsers.

How to delete Shlayer malware from Mac using antivirus software

As you should know by now, relying solely on manual processes to remove malware like Shlayer may not always be effective. Therefore, we highly recommend you use cybersecurity software such as MacKeeper to ensure complete removal of the trojan. To get rid of the Shlayer malware from your Mac with MacKeeper’s Antivirus:

  1. Launch the MacKeeper app.
  2. Select Antivirus from the sidebar, under Security.
  3. Click the Start Scan button and wait until it’s complete.
  4. Click Check All to select all threats found.
  5. Click Move to Quarantine.
  6. Click Restart to relaunch the app.
  7. Click Quarantine and select all threats.
  8. Click Delete, and Delete to confirm.
To delete the Shlayer malware, open MacKeeper’s Antivirus and click Start Scan.
Step 1. Launching MacKeeper’s Antivirus and starting the scan
To remove the Shlayer trojan from your Mac, wait until the scan is finished.
Step 2. Waiting until the scan is complete
To get rid of malicious content from your Mac, move all threats found to quarantine.
Step 3. Moving all threats to quarantine
To make sure all malicious content is deleted, restart the MacKeeper app on your Mac.
Step 4. Relaunching the MacKeeper app
To erase the Shlayer malware from your Mac, click Delete on the MacKeeper app.
Step 5. Deleting all threats found



Using MacKeeper’s Antivirus is also the solution our expert team recommends for you to remove VBS Malware-Gen.

Shlayer virus definition and tips to remove it from your Mac

Shlayer is a harmful malware that has been infecting Mac devices since 2018. It mainly appears in the form of pop-up ads, fake browser extensions, and unwanted apps. However, the real danger lies in clicking on these ads or running such programs, as they install other elements that can track your online activity and collect sensitive personal information.


Falling into the clutches of such malware can be scary, but fortunately, there are steps you can take to reduce the risk:

  • Avoid downloading Torrent files, especially from untrusted sites.
  • If you suspect you’ve already been infected, make sure to delete any files or folders that seem suspicious.
  • Uninstall unrecognized extensions from all your browsers.

If you want to make the whole process quick and pain-free, rely on a cleaning utility to do it for you. We recommend using MacKeeper, which, for an affordable price, includes an excellent antivirus and other useful tools such as StopAd and Smart Uninstaller in scenarios such as this one, where you need to know how to detect malware on Mac.


1. What are the biggest problems Shlayer malware can cause?

Although the pop-up ads that Shlayer malware generates can be very annoying, they’re not the main problem. The real danger lies in clicking on these adverts, which can lead to the installation of potentially harmful programs that may charge you money for a fake service or even steal your private information. Shlayer can also track your online activity and slow down the performance of your Apple device.

2. How do I check my browser for Shlayer malware?

If you suspect that your Mac has been infected by Shlayer, you should start by checking whether any unwanted extensions have been installed in your browser. To do this, go to the Extensions section of all the web browsers you have installed on your computer (Safari, Chrome, Firefox, Opera, etc.) and uninstall those that you haven’t installed voluntarily.

3. Will deleting Chrome get rid of Shlayer malware?

While removing Chrome or any other web browser can be a good first step to eliminating Shlayer and any potentially dangerous extensions that may have been installed without your knowledge, it’s not a definite solution. Shlayer can manifest itself in other ways, so the best approach is to use an antivirus tool that can scan your Mac thoroughly and remove any malware completely.

4. Will antivirus protect my Mac from Shlayer malware?

Yes, using antivirus software is the best way to ensure that your Mac is protected from malware threats like Shlayer. The MacKeeper security suite only sends you real-time alerts when the software detects a virus infection, but it also does a thorough scan and removes any traces of Shlayer once it has already penetrated your Mac.

Use your Mac to the fullest! Sign up and get:
Effective tips on how to fix Mac issues
Reliable advice on how to stay safe online
Mac-world news and updates

Thank you!

You’ll love exploring your Mac with us.

Oops, something went wrong.

Try again or reload a page.

Here’s another sign you need to upgrade your macOS ASAP:

30% off your MacKeeper subscription

Сopy the code now and use it in the MacKeeper checkout after the upgrade.

Copy Code

Please be aware that this code cannot be combined with any other discounts, offers, or promotions.



MacKeeper - your all-in-one solution for more space and maximum security.

Try Now

Read more

CoinMiner Malware
CoinMiner Malware

Run Application


Click Continue


Click Install


Your macOS version is lower than OS 10.11. We’d like to offer you MacKeeper 4 to solve the cleaning, privacy, and security issues of your macOS.