Name |
Shlayer |
Category | Adware |
Symptoms | Slow performance, browser redirects, and unwanted pop-up ads |
Infection method | Fake installers |
System damage | Browser tracking, stealing personal information, and unwanted pop-up ads |
Removal |
What is Shlayer malware on Mac?
Apple has gone to great lengths to try and secure macOS from malware. But, a family of malware scripts has found a way to bypass this check and install it on Macs without you ever being prompted.
Shlayer is part of that malware family exploiting Mac computers. It commonly acts as a Flash download. And once a user downloads the “Flash” file, it automatically starts to install. Then, before you know your web browser starts acting up, you’ll probably see a bunch of pop-up ads, and when you try to search for anything, it probably redirects you to another website altogether.
How Shlayer malware works on macOS
Unlike many other forms of malware, the Shlayer trojan doesn’t strongarm its way onto your device. Instead, it waits for you to infect your MacBook yourself. Then, it jumps into action.
Among the goodies it presents to you are adware and browser hijackers. This means a multitude of pop-up ads, as well as changed browser settings. These alterations can include changing your homepage, your new tab pages, and your default search engine. Changing the search engine will enable the attacker to redirect you to their own preferred search engine.
It could also change your browser security settings and monitor your web traffic.
Perhaps the worst part is that it will bring more malware in from their external servers. These may be more dangerous threats, such as trojans, remote access trojans, and keyloggers.
Why Shlayer is more dangerous than typical adware
All malware is dangerous, but some are more dangerous than others. Shlayer falls into the more dangerous category for the following reasons.
First, it does what a lot of malware is unable to do: It can bypass Apple’s built-in security settings, especially Gatekeeper. Gatekeeper protects your MacBook by keeping out all unsigned and illegitimate software. But Shlayer is able to deceive Gatekeeper and pass itself off as approved software.
Second, Shlayer malware is able to adapt, making it much more difficult to detect and destroy. For example, one moment, it’s adware. The next, it invites a trojan to the party.
Third, a Schlayer virus plays the long game. Typical malware gets onto your device and gets to work immediately, making detection likely sooner rather than later. But Schlayer hides inside your system, quietly and subtly embedding itself. It can put its malicious code into Mac processes, set up launch agents, and even encrypt itself to avoid detection by anti-malware tools.
How Shlayer malware infects Macs through various methods
The usual form of delivery for Schlayer malware is an infected software update — such as the infamous fake Adobe Flash Player update — or cracked software from a pirate download website. Once the false update or software has been installed on the target computer, Shlayer comes out of hiding and installs itself.
Other forms of infection include:
- Strategic SEO poisoning to get infected sites at the top of Google and Bing search results
- Phishing emails and chat messages with infected links (links on chat platforms like WhatsApp, Discord, and Telegram can potentially funnel you through shady ad networks, where attackers make money from your searches)
- Legitimate ad networks that have been tricked into accepting ads to malware payloads (when you’re visiting, say, CNN or The New York Times, clicking an ad for a cheap vacation could give you Shlayer malware)
How to get rid of Shlayer malware manually
The tricky thing about Shlayer is that it doesn’t always go by that name. So, removing it can be a bit tedious. You’ll need to navigate to a few different folders to delete malicious files. The easiest way to do it is:
- Open a new Finder window.
- Click Go > Go to Folder.
- Then, paste in the following folder paths and delete the files listed within each:
/Applications/
- Advanced Mac Cleaner
- MyMacUpdater
- MyShopcoupon
- mediaDownloader
/Library/LaunchAgents/
- com.MyMacUpdater.agent.plist
- com.MyShopcoupon.agent.plist
- mm-plugin.dylib
- myshopcoupon.safariextz
~ /Library/Application Support/
- amc
~ /Library/Caches/com.apple.Safari/Extensions/
- chumsearch.safariextz
~ /Library/LaunchAgents/
- com.pcv.hlpramcn.plist
~ /Library/Safari/Extensions/
- chumsearch.safariextz

The other thing you’ll want to check for is any new profiles Shlayer may have created on your Mac. Follow these instructions to check:
- Click the Apple logo > System Settings> General > Device Management.
- Select any unfamiliar profiles listed in the sidebar.
- Then, click the minus icon (–) at the bottom of the window.

How to remove Shlayer automatically
You could, if you had the time and inclination, try to remove Shlayer manually. But this would be a very hit-and-miss affair with no guarantee of success. As noted earlier, Shlayer embeds itself into legitimate macOS processes, so getting it out is a challenge.
The better way to remove malware such as Shlayer is to use a dedicated anti-malware tool specially designed to go after threats like Shlayer. The best choice is CleanMyMac, powered by Moonlock Engine. It’s a lightweight, fast, and powerful Mac optimization platform that you should have on your device to keep it safe 24/7.

Once you have signed up for a free trial and installed CleanMyMac, carry out the following steps to get rid of Shlayer:
- There’s a selection of icons on the left-hand side. Third from the top is a little hand icon. This is the Protection feature, which is what you’ll be needing today. So click on that.
- Click the Configure Scan button to set your scan settings. You can enable Deep Scan (very important), as well as the real-time malware scanner and alerts.
- Now it’s time to go Shlayer hunting. Click the Scan button to unleash CleanMyMac, which will scour your Mac for hidden malware gremlins.
- When Shlayer has been found, CleanMyMac will show you all of the infected files that need to be removed. Select them all and click Remove. You may be able to determine from those files which software app infected your device.
- Once done, click the Cleanup icon (second one down, above Protection) and run it. This will nuke all your junk files, some of which may be connected to Shlayer. This ensures that you remove all Shlayer files completely and can be sure they’re absolutely gone.

Because malware is sneaky by design, it’s a good idea to periodically scan your computer for any additional threats lurking on your hard drive. Sure, you could follow the instructions you just read to do that. But, CleanMyMac is meant to optimize your Mac’s performance, not just delete adware. And it does that by running a handful of other scans and scripts to get your Mac back to where it should be performing.
- Open CleanMyMac.
- Make sure Smart Scan is selected on the left.
- Click the Scan button.

When the scan is done, you can choose to review the details of the cleanup scan it found or click Run to run the available performance tasks.
And if you’re concerned about inadvertently downloading malware of any kind, CleanMyMac even has real-time monitoring to scan the files you save on your computer — just enable malware monitor in CleanMyMac’s Preferences.
Shlayer, although it takes on many other names, can still wreak havoc on your Mac. The worst part is that you may never know what’s going on or how to diagnose it properly. It might just look like a slow and sluggish performance. But, hopefully, after reading this article, you have a better idea of what to look for and how to find and delete those malicious files.