AAPL Stock: 117.81 ( -0.22 )

Printed from

Fake 'Flash installer' Trojan tries to obtain personal info

updated 06:35 pm EDT, Wed October 12, 2011

Users should be wary of any Flash update

Another malware installer for OS X has appeared, this time a variation on one spotted several weeks ago that masquerades as an installer for Adobe Flash, with the ultimate goal of stealing personal information from browsers and sending it to remote servers. While the latest version has several dead giveaways for savvy users, non-technical Mac users should be wary of any Adobe Flash "updater" they did not personally download from Adobe's own servers.

CNet reports that the new threat behaves like a standard Mac OS X installer package and offers to install Adobe Flash, but in fact Adobe's actual Flash installers do not use the standard Mac OS X installer. Users have to give their administrative password to install the malware, and this is where users should pause and verify that this update was downloaded deliberately by them, and came from a reputable Mac download site or Adobe's own website.

If the latest version of the Trojan (called OSX/Flashback.B by security company F-Secure) is successfully installed, it contacts a remote server and tries to inject code into either Safari or Firefox. By necessity, the program will have to quit and then re-launch the browser(s) when doing this, providing another clue to alert users that something is amiss. It is believed that the purpose of the injected code and remote server connection is to monitor and send personal information (such as login information or banking data) to the remote server.

Users who are comfortable in Terminal can easily detect the presence of the Trojan, though by their nature they would be unlikely to have installed it in the first place. A pair of simple commands (see illustration below) to read the contents of the Safari or Firefox application packages and detect the presence of a files called LSEnvironment quickly reveals if the browser has been compromised. A "does not exist" error will be returned if the browser is unaffected. Removal of the payload is a simple matter of uninstalling and re-downloading fresh copies of either browser.

Users who have installed the outgoing firewall Little Snitch on their machines will never see the threat, as the malware detects the presence of the program and quits and deletes itself if found. The action is presumably an attempt to prevent programs like Little Snitch from alerting users to the malware's presence and also to keep it from revealing the location of the remote server where the personal data would have been sent.

The threat of this latest Trojan is still considered minimal, as users would need to deliberately download it and install it giving their administrative passwords. However, users who are prone to install software without understanding what they are installing should be warned that Adobe Flash software should only be downloaded or installed if it has been deliberately obtained from the Adobe website or a reputable Mac download site.

Intego says it has already adjusted its own anti-malware software to account for the new variation, and Apple will likely updated its own definitions with another "silent" update in the near future to prevent the Trojan from even getting started. [via CNet]

The fake Flash malware installer:

The genuine Adobe Flash installer:

Terminal commands that show no presence of the Trojan:

by MacNN Staff



    Comment buried. Show
  1. facebook_Justin

    Via Facebook

    Joined: Oct 2011


    comment title

    Good. I'd donate to the maker of this, thank you for giving any idiot out there with Flash what they've deserved for a few years now. Anyone stupid enough to continue to use Flash these days deserves viruses. Adobe Flash is nothing but a virus loader anyway. Hope the devs of this make a few more viruses target at idiot Flash users.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented