Experts have spotted an OS X scareware campaign that leverages fake Adobe Flash Player installers to trick users into downloading shady software onto their devices.
Johannes Ullrich, dean of research at the SANS Technology Institute, came across the campaign while analyzing Facebook clickbait scams. The attack starts with a popup window informing users that their Flash Player is outdated and instructing them to install an update.
While it’s uncertain what triggers this popup, Ullrich believes it was likely injected by an advertisement on the page he was visiting. Users who click the “OK” button in the popup are taken to a webpage set up to serve a fake Flash Player installer that had been detected as malicious by only a handful of antiviruses on VirusTotal.
The fake Flash Player installer is designed to mimic the legitimate application and is not blocked by Apple’s Gatekeeper security feature.
The installer, signed with a valid Apple developer certificate issued to one Maksim Noskov, installs a genuine copy of the latest Flash Player and attempts to convince users to download applications apparently designed to resolve problems on the victim’s system.
These applications are actually pieces of scareware that attempt to trick users into calling a “support” line where they can allegedly get instructions for addressing the so-called problems. The samples tested by Ullrich were clearly scareware because they claimed to have found serious problems on the system even though the tests were conducted on a clean installation of OS X 10.11.
The expert has published a video showing the fake Flash Player installer and the scareware in action.
Threats designed to target OS X are increasingly common and cybercriminals have been using all sorts of tricks to bypass security mechanisms. A malicious installer spotted last year by researchers exploited a then zero-day local privilege escalation vulnerability in OS X to install adware and other shady software. A newer version of the same installer was later observed using an old method to access the OS X Keychain.
Symantec reported in December that the number of OS X systems infected with malware in the first nine months of 2015 was seven times higher than in all of 2014, despite a drop in the number of newly detected threats.
Related: Apple's Gatekeeper Bypassed Again