Fake Adobe Flash players persist
Published August 23rd, 2013 at 10:42 AM EDT , modified August 23rd, 2013 at 10:43 AM EDT
Another fake Flash player has been discovered, and it turns out it has been seen and reported by users on the Apple Support Communities for at least a month. This player is downloaded from sites that tell the user that they need to update their Flash player, and comes in the form of a file named “FlashPlayer11.safariextz,” which users must install themselves (by double-clicking it).
This extension, like other recent Mac malware, is signed using a certificate from a valid Apple Developer ID. At this point, fortunately, the certificate used to sign the extension has been revoked, so the extension will no longer install if downloaded. (I tested this on a system that had not been updated recently, and even there the extension refused to install.)
This extension, should you have it installed, causes ads to appear on sites that should not normally have ads, and may replace existing ads with others. Often, the ads are pornographic in nature. Removal is easy… simply view all installed extensions in your web browser and remove any claiming to be Flash player. (The real Adobe Flash Player does not install as a browser extension.) In Safari, this is done through the Extensions pane of Safari’s preferences window. Other browsers will work similarly.
Intego VirusBarrier is identifying this as malware, and is calling it OSX/ClickAgent.FLA. For more information, see Intego’s blog post on this topic.