Posted by: David Harley | February 6, 2016

‘Flash’ Scareware Installer: retro but not in a good way

An entry by Johannes Ullrich in the Internet Storm Center’s Handlers Diary looks at an interesting example of a fake Flash update targeting users of OS X: Fake Adobe Flash Update OS X Malware.

It’s not so much the fact that it passes itself off as Flash Player that’s interesting – that’s not particularly unusual, especially for adware – or even that it targets Mac users. Rather, it’s the fact that it actually installs scareware. A few years ago, there was a spate of scareware – notably Flashback – targeting OS X users, but in these days of galloping, ubiquitous ransomware, that seems almost touchingly retro, especially as it apparently also installs a genuine Flash update. I don’t think that makes it particularly public-spirited, though: it’s more to do with making it less obvious that the installer is malicious. It’s signed with a genuine Apple developer certificate, so it wouldn’t be  flagged by Gatekeeper (unless it’s been updated since).

Ullrich includes a short video showing how it infects. He also states that detection by security software was pretty poor as measured by VirusTotal, but as he didn’t include a hash or a link to VT, I can’t say if that’s still the case.

Other commentary by Graham Cluley for Intego and Zeljka Zorz for Help Net.

David Harley

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: