Malware + Recommended + Security News

Fake Flash Player Update Infects Macs with Scareware [Updated]

Posted on February 5th, 2016 by

Fake Flash update

Anyone who has been using computers for any length of time should (hopefully) be aware of the endless ritual of updating Adobe Flash against security vulnerabilities. Even if you don't run Flash on your computer, you've surely seen the many headlines in the tech media over the years of the importance of keeping Adobe Flash (and its Acrobat PDF Reader stablemate) updated to protect against malicious attack.

So, what better way to trick someone into having their computer infected than by disguising it as an actual Adobe Flash update?

That's precisely what criminals are doing now, in their attempts to infect Apple Mac users with scareware.

The first sign you will see that criminals are interested in infecting your Mac OS X computer is if you see a pop-up like this appear while you are browsing the web:

Pop-up claiming Flash is out of date

Following the phoney alert's advice to download an Adobe Flash update from a site you have never heard of is, of course, unwise.

Flash out of date

The beauty of this approach, from the criminals' point of view, is that the attack doesn't rely upon any software vulnerability or exploit. Instead, social engineering is being used to trick the unsuspecting user into unwittingly downloading and running a bogus version of Adobe Flash — designed to infect their computer with scareware.

Johannes Ullrich of the SANS Institute's Internet Storm Center first reported on the threat, noting that the scareware's installer was digitally signed with a valid Apple developer certificate, issued to one Maksim Noskov.

The fact that the scareware installer was signed with an Apple developer certificate is important, because it allows the malware to bypass a key defence that is built into modern versions of OS X.

In an attempt to prevent malicious code from infecting computers running OS X, by default the operating system only allows you to run programs that have been downloaded from the official App Store or that have come from "identified developers."

OS X Security & Privacy dialog

By using a valid Apple developer certificate, the scareware dupes OS X into believing that it can be trusted and the code is allowed to execute.

As we have previously reported, there are ways to exploit vulnerabilities in OS X Gatekeeper to allow malicious code to slide past Apple's defences — but the easiest way is seemingly simple to sign your code with a valid developer certificate.

Intego VirusBarrier with current virus definitions protects Mac users against this malware, detected as OSX/InstallMiez (and it is probable that some other varients can be picked up as OSX/InstallCore). In all, Intego's research team say that they have found 492 occurrences of malware using the identifier and developer ID, dating back to at least April 2015.

The installers used in the attacks, however, are prone to change — meaning that at any time what they offer to install may be different. Commonly, however, they have been seen offering a variety of products including freeware, shareware and open source tools.

installer

With a click or two, the installation has begun.

Fake Flash player

It may surprise some to hear that in this particular attack, a genuine version of Adobe Flash is downloaded in the background onto Macs alongside the malware — presumably in an attempt to appear more legitimate to any user who begins to suspect something fishy is afoot.

After the malicious installer is run, the user is prompted to continue with the installation of the legitimate version of Flash.

Flash install

Finally, at the end of this process, scareware or other potentially unwanted applications have been installed on the user's computer and will pop up bogus security warnings, redirect victims to web pages of the attackers' choosing, or install malicious browser extensions.

Security warnings - but can they be trusted?

You should always be suspicious if a program suddenly tells you that you have a myriad of security problems on your computer, especially if you never installed the program in the first place! Always be on the look out for dodgy apps, and if you ever want to update Flash — make sure you're getting the updates directly from Adobe's own site rather than a web page created by scammers.


Editor's Update — Feb. 8, 2016:

We have received a number of comments from customers confused about how to remove the scareware if infected, and so we updated this article for clarity and conciseness. Intego customers have been protected since April, 2015. When Intego VirusBarrier real-time scanning is enabled with up-to-date malware definitions, the anti-virus software will detect and eraticate this malware, identified as OSX/InstallMiez.

Editor's Update — Feb. 10, 2016:

We have heard from several customers concerned after encountering pop-ups in the wild. You can encounter the "out of date" Flash pop-ups and be fine so long as you do not choose to install them. If you ignore the pop-ups (nothing gets downloaded), then nothing bad will happen. For Intego VirusBarrier customers who have real-time scanning enabled, sometimes it will detect the DMG file directly, but other times it may detect something inside the DMG file in which real-time scanning will not activate unless you open the installer to start the installation process.

A number of customers have also contacted us in reference to other pop-ups that appear in the Safari browser. What you may be encountering are variants of the pop-up alert scam we see happening a lot right now. For more details about this pop-up alert scam, see our Knowledge Base article.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • papatonyinsd

    Pull down the Apple menu at the upper left corner of your screen

    Go to System Preferences

    Choose Flash Player

    Click on Updates

    Click on Check Now.

    You can trust these steps. Don’t do it any other way!

    • rXwt

      Flash Preferences says:
      “NPAPI Plug-in version 20.0.0.267 is installed.
      PPAPI Plug-in is not installed.

      What does this tell us?

  • Brewfeller

    so… how do we remove the malware or scare ware

  • Mac Bakewell

    Would it be safe then to leave the System Prefs for Flash set to auto update?

    What I don’t know is if malware signed by a legitimate certificate would have the authority to trigger an auto update or not.

  • M J

    Always easy to say “look out for dodgy apps”, but even legit apps follow flaky update policies, so it is hard for average users to tell.

    • Lorne

      Yikes! How long before the bad guys start to produce malware disguised as Intego updates?

      • M J

        What do you mean, “how long before”? It is already happening in the Windows world with other apps. Sophos Security just blogged about a ‘malvert’ that imitates a Java Installer but downgrades your Java installation to an earlier, very insecure version.

        It may have already happened to Intego already.

  • CareforBend

    I said goodbye to flash so many years ago. Totally unnecessary in todays world.

  • Padre David Poedel

    I may have encountered this. Does it affect the Definition Update? When I tried to update my definitions I got an error message to reinstall that function. I’m having trouble identifying that on your website so I can reinstall the corrupted function.

    • http://www.intego.com Intego

      From what we know, the scareware should not affect Intego software, including the definition updates. We recommend that you contact our support team and provide as much info as you can, and we’ll be happy to triage your issue to help find a resolution.

      You can contact our support team, here: https://support.intego.com/anonymous_requests/new

      (Tip: Click the green “Ask Us” button on the right side of our support page to get in touch with one of our Mac experts via live chat.)

  • webworldfly

    If I want to delete the Flash Player on my iMac permanently, what would you suggest me to get another software? I thought that HTML5 does not require to plug the Flash. If HTML5 without Flash is fine, then why the designers didn’t think of new way without the Flash?

    • Jamie

      Go into Finder/Applications. Now I have Adobe Flash from the Creative Cloud (do not remove a Creative Cloud version — dark orange/red folder). Instead, find the Adobe Flash Player folder that has a red rectangle with a white F icon. I moved that icon to my trash, and then emptied trash.

  • Cat Mama

    I encountered this today while visiting a web site. I opened Firefox, went to this site that uses Flash and then got a bunch of pop-ups that I closed immediately (always do). In the background, on my Desktop, Flash was asking to update. I was a bit distracted and since everything looked official, I ran the installer. I am currently scanning my drive but I am nervous because I don’t know if I installed that malware (VirusBarrier has not reported anything so far). None of the windows included in this post came up, and now I am confused.

    • mbh

      I had the same problem as Cat Mama. Once I read the alert I had everything scanned, and nothing showed up. am I OK?

    • http://www.intego.com Intego

      If you ignore the popups (nothing gets downloaded), then nothing bad will happen. If you have VirusBarrier’s real-time scanning enabled, it should only activate if you start the installation process on the DMG file.

      • Alex

        Uh.. I got the file and i double clicked the dmg but i closed it right away.. so did I get screwed?

  • http://lifeworthliving.us Mark Bordeaux

    Graham,

    Thanks for your article. About a week ago the Adobe message fooled me and I got it. A couple of days later, I got your warning email. My Virus Barrier is set to “real time” and “scheduled” scanning and I have done a “full scan,” but still have Safari infected.

    Obviously, VB has not detected it or eradicated it. What do I do?

    • http://www.intego.com Intego

      Hi Mark,

      If you are infected by this, the Intego Malware Research Team would like to take a look at the sample and identify it. Please send it to us, here: https://www.intego.com/support/submit-malware Thanks!

      • http://lifeworthliving.us Mark Bordeaux

        How may I do that?

        • http://www.intego.com Intego

          You can encounter the “out of date” flash popups and be fine as long as you don’t choose to install them.

          If you never installed anything, what you may be encountering are variants of the popup alert scam we see happening a lot right now. Is this what you’re seeing? https://support.intego.com/entries/92609017-About-the-Web-Browser-Pop-up-Alert-Scam

          • http://lifeworthliving.us Mark Bordeaux

            (See above) I saw the Adobe update message and quickly clicked it as it seemed to be the same as other Adobe updates. Now, Safari is held up and I am using Chrome. Also, thanks for your reply!

  • http://www.anthonymaw.com/ Anthony Maw

    Does Apple not have a certificate revocation mechanism to cancel mis-used Apple Developer certs ?

  • Thom Borle

    Thanks for the article. It was wondering how to not download some of these fake downloads as the page seems to be locked until you shut down.

  • Cassandra

    How can we be completely certain that the virus is gone? After a scan has been run, the programs uninstalled, and computer cleaned/restarted.

  • JD

    Hi,
    earlier today I received a pop up that said my Flash Player was out of date. I am aware of some of these scams and noticed it looks suspicious, so on the pop up I opted to “Leave Page” rather than “Stay on Page”. When I did this, a file called “flashplayer.dmg” instantly downloaded. I immediate found the file and deleted it/emptied my trash. I never opened the file nor gave it any information. I am just curious if I potentially still infected my computer considering it was downloaded or if the virus only works if the application is clicked and activated (which I did not do). Any thoughts and advice are appreciated, thanks.

    • mello

      The same thing happened to me today! I hope it didnt do anything either.

  • tommy

    what is the fix?

  • Jamie

    Go into Finder/Applications. Now I have Adobe Flash from the Creative Cloud (do not remove a Creative Cloud version — dark orange/red folder). Instead, find the Adobe Flash Player folder that has a red rectangle with a white F icon. I moved that icon to my trash, and then emptied trash. Worked for me.

  • Jim B

    I was able to get rid of it without downloading any special software. I simply went to my Applications and trashed anything that was dated the day it appeared. They hide the name. I also completely cleaned my cache and downloads. That was all that was necessary. It disappeared. No more fake Flash Player or any of the other ones connected to it.

    On a mac to get to the right place hit “Go” on the top bar. You will see the applications and download folders. To get the cache you have to hit the “Go To” button and type in ~/Library/Caches. That will take you to the cache.

    It is really quite easy if you know the steps.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}