OFFICIAL SECURITY BLOG
Tech News News Favorites Adware Medic Tech Guides About Us
Mac Malware GuideAdware Removal GuideMac Performance Guide

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Fake Adobe Flash players persist

Published August 23rd, 2013 at 10:42 AM EDT , modified August 23rd, 2013 at 10:43 AM EDT

Another fake Flash player has been discovered, and it turns out it has been seen and reported by users on the Apple Support Communities for at least a month. This player is downloaded from sites that tell the user that they need to update their Flash player, and comes in the form of a file named “FlashPlayer11.safariextz,” which users must install themselves (by double-clicking it).

Screen Shot 2013-08-23 at 10.21.12 AMThis extension, like other recent Mac malware, is signed using a certificate from a valid Apple Developer ID. At this point, fortunately, the certificate used to sign the extension has been revoked, so the extension will no longer install if downloaded. (I tested this on a system that had not been updated recently, and even there the extension refused to install.)

This extension, should you have it installed, causes ads to appear on sites that should not normally have ads, and may replace existing ads with others. Often, the ads are pornographic in nature. Removal is easy… simply view all installed extensions in your web browser and remove any claiming to be Flash player. (The real Adobe Flash Player does not install as a browser extension.) In Safari, this is done through the Extensions pane of Safari’s preferences window. Other browsers will work similarly.

Intego VirusBarrier is identifying this as malware, and is calling it OSX/ClickAgent.FLA. For more information, see Intego’s blog post on this topic.

Tags: ,

4 Comments

  • Someone says:
    August 24, 2013 at 4:12 pm

    Flash Player scams combined with pornography? Seriously? These hackers are really lacking in originality… copying parts of the two biggest Mac malware outbreaks. Tell me when this thing starts stealing credit cards and using Java loopholes….

  • Al says:
    August 25, 2013 at 2:40 am

    One of the first reports I read said that the sites which ask the user to download and upgrade flash were pornographic sites, so it sounds to me as if they probably have the right audience targeted.

  • Tanna@mmorpg says:
    November 9, 2013 at 12:09 pm

    Sorry for my poor English, but I’m still learning.Hmmmm… What I have to say?
    This is exactly what I had been looking for. . I love the style where it is used on this web page Cheers :))

This post is more than 90 days old and has been locked. No further comments are allowed.