Malware

Adobe Flash Player is dead, yet 10% of Macs are infected with fake Flash malware

Posted on January 31st, 2020 by

A recent report (covered by Ars TechnicaWIRED, and others) claims that OSX/Shlayerfirst discovered by Intego in February 2018—continues to be the most prolific Mac malware in the wild, with 1 in 10 Macs infected by it.

Although Intego does not currently maintain infection rate statistics of VirusBarrier X9 customers, our malware research team can confirm that Shlayer may be found far and wide: in high-ranking Google search results, in deceptive in-browser advertisements and alerts, on expired domains that have been purchased by malware distributors, and more.

So what does Shlayer malware look like? It is often delivered in the form of a fake Adobe Flash Player installer. That’s interesting for at least a couple of reasons.

Why is malware still disguised as Flash Player?

Fake Flash Player installers are nothing new; Intego discovered the first variant of the now-infamous OSX/Flashback Trojan in September 2011, which was widely reported to have infected 600,000 Macs by April 2012, and there were still at least 22,000 Macs infected as of January 2014.

On the one hand, it may seem a bit surprising that fake Flash Player installers are still an effective Trojan horse. Shouldn’t everyone have learned their lesson nearly a decade ago, and started being more careful about Flash updates?

And moreover, who even uses Flash anymore? Adobe itself announced in July 2017 that it intended to terminate all Flash Player updates by December 31, 2020. The vast majority of sites that once relied on Flash-based content have converted to HTML5 or other multimedia formats.

Furthermore, many Web browsers have deprecated or completely dropped all support for Flash Player, with Safari for Mac evidently planning to stop supporting it in the next version. (Meanwhile, Safari for iOS has never supported Flash; you might remember the late Apple cofounder and CEO Steve Jobs’ essay, “Thoughts on Flash,” which he published in April 2010; in retrospect, his hard line stance against Flash may be one reason for its eventual demise.)

And yet, in spite all of these things, here we have the most prevalent Mac malware of the day continuing to find success in tricking victims into supposedly “updating their Flash Player.” How is this tactic still working?

Old habits die hard

As Jobs noted in his aforementioned Thoughts on Flash, the software had “one of the worst security records in 2009,” and was “the number one reason Macs crash,” in spite of Apple having worked with Adobe for “several years” to try to remedy these issues.

I recall that, at one point, it was not uncommon for Adobe to release multiple new Flash Player updates within the same month due to critical zero-day vulnerabilities being discovered (yet again) in the software, which meant that it had to be patched urgently lest it be exploited to spread malware.

Part of me wonders if the overly frequent update cycle of yore has anything to do with why users today are still so trigger-happy about installing supposed Flash Player updates whenever they’re prompted to; old habits die hard.

I also strongly suspect that most non-geeks are simply unaware that Flash is no longer useful or necessary, let alone that its final update is scheduled for later this year—all of which means that Flash Player (even the real one!) should be avoided like the plague.

What can be done to stop fake Flash Player updates?

One thing we all can do to help prevent fake-Flash Trojan horses from succeeding is to share these facts with others:

  • Flash is dead. There’s no reason to install it anymore. If you get prompted to install it, don’t do it; you don’t need it, so assume it’s a scam.
  • Flash is dead. Really. You probably don’t even have the old-fashioned Flash Player browser plug-in installed, so if you get prompted to update Flash, don’t do it; assume it’s a scam.
  • If you think you might legitimately have an old version of the Flash Player plug-in installed, get rid of it!
  • If you happen to frequently use a site that you know actually, legitimately, still uses Flash:
    • Access the site using a browser with a built-in, automatically updating version of Flash, like Google Chrome. (Note that, of course, Chrome and other browsers will stop including a built-in Flash Player sometime in 2020.)
    • Contact the owner of the site and ask them to switch from Flash to another technology, if possible. Help them understand that nobody will be able to (safely) use their site anymore after December 31, 2020, because Flash Player will no longer get security updates after that date.

Is my Mac infected with Shlayer malware?

You can download a free trial of Intego’s ultimate Mac protection suite, Mac Premium Bundle X9, to scan your computer and activate realtime protection against OSX/Shlayer and all the latest Mac malware threats.

If you simply want to do a one-time scan, VirusBarrier Scanner is available in the Mac App Store.

Share this article with others

Of course, eventually malware makers will find less success in tricking people into installing fake Flash Players, so they’ll switch tactics to some other Trojan horse. But at least in the mean time we can help our family, friends, and coworkers to avoid falling for fake-Flash installer/updater Trojans.

Please consider sharing a link to this article on Facebook, Twitter, or with anyone who may either benefit from it directly or who may find it useful to share with others in their sphere of influence.

How can I learn more?

Each week on on the Intego Mac Podcast, we discuss security, privacy, and Apple-related topics. Be sure to subscribe to make sure you never miss the latest episode!

Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh's security research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →