Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Fake Flash Update Serves OS X Scareware

Experts have spotted an OS X scareware campaign that leverages fake Adobe Flash Player installers to trick users into downloading shady software onto their devices.

Experts have spotted an OS X scareware campaign that leverages fake Adobe Flash Player installers to trick users into downloading shady software onto their devices.

Johannes Ullrich, dean of research at the SANS Technology Institute, came across the campaign while analyzing Facebook clickbait scams. The attack starts with a popup window informing users that their Flash Player is outdated and instructing them to install an update.

While it’s uncertain what triggers this popup, Ullrich believes it was likely injected by an advertisement on the page he was visiting. Users who click the “OK” button in the popup are taken to a webpage set up to serve a fake Flash Player installer that had been detected as malicious by only a handful of antiviruses on VirusTotal.

The fake Flash Player installer is designed to mimic the legitimate application and is not blocked by Apple’s Gatekeeper security feature.

The installer, signed with a valid Apple developer certificate issued to one Maksim Noskov, installs a genuine copy of the latest Flash Player and attempts to convince users to download applications apparently designed to resolve problems on the victim’s system.

These applications are actually pieces of scareware that attempt to trick users into calling a “support” line where they can allegedly get instructions for addressing the so-called problems. The samples tested by Ullrich were clearly scareware because they claimed to have found serious problems on the system even though the tests were conducted on a clean installation of OS X 10.11.

The expert has published a video showing the fake Flash Player installer and the scareware in action.

Threats designed to target OS X are increasingly common and cybercriminals have been using all sorts of tricks to bypass security mechanisms. A malicious installer spotted last year by researchers exploited a then zero-day local privilege escalation vulnerability in OS X to install adware and other shady software. A newer version of the same installer was later observed using an old method to access the OS X Keychain.

Symantec reported in December that the number of OS X systems infected with malware in the first nine months of 2015 was seven times higher than in all of 2014, despite a drop in the number of newly detected threats.

Related: Apple’s Gatekeeper Bypassed Again

Related: iOS App Patching Solutions Introduce Security Risks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.