Software security experts have recently spotted an OS X malware campaign that utilizes fake Adobe Flash Player updates to lure unsuspecting users into downloading and installing shady programs onto their devices.
Researchers from the SANS Technology Institute discovered the said campaign and explained that the fake Flash Player update is apparently being served via malicious advertising on social media. Johannes Ullrich, dean of research at SANS, first reported about the issue and mentioned that he came across the campaign while analyzing Facebook clickbait scams.
"They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update)," Ullrich explained.
The attack begins with a pop-up window informing users that their Flash Player is outdated and instructing them to install an update. It appears that the alert shows up even if a user's Flash Player is current. Those who click the "OK" button in the pop-up will be taken to a webpage set up to serve an authentic-looking Flash Player installer that had been detected as malicious by only a handful of antivirus programs on VirusTotal.
The fake Flash Player installer is made to mimic the genuine application and is, surprisingly, not blocked by Apple's own Gatekeeper security feature. The Adobe Flash Player update was reportedly signed with a valid Apple developer certificate issued to a developer named Maksim Noskov. It does install a legitimate copy of the latest Flash Player but attempts to persuade users into download applications supposedly designed to resolve problems with their system.
By using a valid Apple developer certificate, the malicious program tricks OS X into believing that it can be trusted, and the code is permitted to execute. The fact that the shady installer was signed with the tech giant's developer certificate is crucial because it allows the malware to bypass a key defense that is built natively into modern versions of Apple's OS X.
Moreover, the beauty of this approach, from the hackers' perspective, is that the attack does not depend on any software vulnerability or loophole. Instead, social engineering is leveraged so the unsuspecting users would unknowingly download and install a malware-infested version of Adobe Flash Player.
Once the malware is successfully installed, "scareware" and other potentially detrimental applications will be installed on the victim's OS X device, and it will pop up more bogus security warnings, which will redirect the victim to the perpetrators' web page, even forcing them to install malicious browser extensions.
Intego, a Mac security software company, identifies the malware as "OSX/InstallMiez" and reports that some others can be picked up as "OSX/InstallCore." The company's research team says that they have found 492 occurrences of malware using the identifier and developer ID, which dates back to at least April 2015.
This fake Flash Player update is a new example of tech support scams that have been around for a while. Until recently, scareware such as this has only been prevalent on and targeted Windows users. Back in December, Symantec reported that the number of OS X systems infected with malware for the first nine months of 2015 alone was seven times higher than in all of 2014.
