Warning About Adobe Flash Updates

Hey all!
I just wanted to share an experience I had with a fake Adobe Flash updater that contains some pretty scary and extremely annoying Malware. This probably isn't typically what would go in this forum, but I think you need to know because there isn't much info on it that I can find, and it really caused complete chaos with Voiceover for me... I can find lots of info about a "Flashback Trojan" that appeared a while ago, but I believe this is a new version of the thing that's gotten worse. It first appeared about a week ago in the form of a popup window on Spotify saying that I couldn't listen to Spotify content until Adobe Flashplayer was updated. It had the Adobe logo and seemed completely legit. I didn't think twice about clicking the download button since I know Spotify requires Flash to play, and I've installed updates in the past for that reason. A file called "Flashplayer.pkg" was downloaded, which now that I think about it, that should've been a flag because the real updates have always been in .dmg files. I launched the installer package from the downloads folder with command + o and was immediately given the security popup saying that the application was downloaded from an unknown source, and was I sure I wanted to open it. I've gotten this popup in the past when I've downloaded updates straight from the Adobe website, so I clicked right past it. At this point, I was presented with a lovely unlabeled image... I could tab around enough to tell that it was asking me to agree to those terms of service that very few people actually read, but I had to enlist sightling assistance to check the box inside the image. After that, I was taken to another unlabeled image that asked if I was ready to install Flashplayer and had an "install now" button. The next dialogue was accessible and asked for my Apple ID and password. By then, I think the Malware had already installed itself, and entering my password only allowed it to go deeper into my system and probably handed the hackers the keys to my digital kingdom on a silver platter... But still under the impression that the thing was a normal Adobe update, I entered my info and clicked "ok." All was good for about an hour, when I discovered that Spotify was still demanding an update and wouldn't play. I launched the installer again thinking that maybe it didn't go since my mom was the one who helped with the images, and she isn't exactly tech savvy. Upon doing that, my system was instantly taken over by multiple popup windows that didn't respond well to keystrokes and multiplied by the dozens. Within the hour, I had some weird stuff in my downloads folder, and there were images labeled with strange lines of code in the finder toolbar and the toolbar at the top of Pages. I ran MacKeeper and came up with nothing. Now obviously something was horribly wrong, so I looked through my downloads, user library, and running scripts. I got pretty unnerved upon seeing something with "Trojan.backdoor" in the title, so I started doing some extensive googling. Turns out there are two versions of this fake Flash update that have been reported. One is pretty harmless but extremely annoying, and just contains adware that will drive you up the wall with incessant popups. The other one, (the one I believe I got), is scarier and seems to contain the average adware, a virus or worm of some sort that invades your files, and the Trojan that allows whoever created this thing to do basically whatever they want on your system. Anti-malware stuff doesn't always detect it either because somehow or another it's wrapped up nicely in authentic licenses that get it right past the firewall. And if you have Java enabled in your Safari extensions, the thing can install itself without you having a clue until your computer starts acting like it's possessed by evil spirits. I went through all the folders where the stuff has been reported to hide and deleted a ton of files. Then I ran MalwareBytes and removed a ton of adware that I didn't find manually. It was NOT an easy process with Voiceover, as there were still popups like crazy that weren't really willing to go away. My system is now running about five times faster than it was, but the whole reason for writing this long post is to warn you that I lost some data. I had some custom keymaps and such for a braille display that I'd made myself, along with several other script files because I'm starting to learn a little programming, and those are either gone entirely or seem to have been chewed to pieces. The thing also created total chaos in my apps folder. It seems to have picked random bits of programs and dropped them in remote corners of my system. Several files in Dropbox were corrupted, and something has embedded itself in my Spotify application. I'm at the point now where I think I'm going to have to completely restore the hard drive and pray I have a recent backup from before all this happened. To summarize all that, make sure you get your Adobe updates straight from adobe and NOT from any random popups, unless you wanna spend your entire weekend going on a scavenger hunt for everything that's broken or out of place! FYI... The real Adobe Flash installer worked like a charm with Voiceover for me, and it did NOT ask for my password!
Sorry for the ridiculously long post, but I really hope this saves somebody from the horror of installing this thing! :)

Forum: 

#1 Thanks for sharing

Hello,

Thanks for sharing.

Did you change your password? The password you entered during setup and any password on your PC should be considered compromised.
The awful part about getting a Trojan is not knowing how simple or complex it is. IF you performed any backup the day of or after, you should delete it. If you use Time machine, restore your Mac to factory then restore from the backup made prior to infection. IF you don’t use Time machine, copy the files important to you on a USB flash drive then perform the restore. You have to be careful with this as you don’t want to transfer any infected files. I know this sounds drastic but Trojans are harder to eradicate then the malware variants.

HTH and good luck.

#2 mac keeper

Isn't Mac Keeper spyware of it's own? I've seen pop ups of that, I always delete them. Sounds like you learned a lesson to be honst with you. As soon as a pkg, extention is heard, i'd be careful. Hope you get it fixed. You might want to run an antivirus as well. I use virus barrier express. It's free and was in the app sotre last I checked. It's accessible. I'd get it and run it tonight, it might help too.

#3 Passwords changed!

The first thing I did when I realized what I had was clear all my Safari history and check the extensions. There were several things active that I definitely didn't install, and I later read on a forum that the Trojan installs a couple of things in Safari that let it collect all the passwords and such stored in the browser. I removed the extensions, (or at least I think I did), and immediately logged into my old Windows laptop and changed all the passwords I've used on my Mac. I've been watching my accounts really close, and thankfully there hasn't been any activity that I can see. I moved the Trojan file I found to the trash, along with all the other files that I'm aware of it installing, and emptied my trash right after that. I ran MalwareBytes and turned up something like 32 files, and it claims to have gotten rid of all of them. I know I still have something though because Safari is still acting demented, and Spotify launches of its own accord every time I start the computer, which usually results in a force quit. I'm still finding random bits of things way out of place, so a restore is definitely in order. I haven't used Time Machine, but all my important docs are either in Dropbox or my backup thumb drive.

#4 In response to the MacKeeper question...

I have no idea what MacKeeper actually is, but this experience has made me decide that it is nothing I want on my system. After it turned up nothing and I ran MalwareBytes, 8 of the potential threats that MalwareBytes detected were MacKeeper files that I had no idea existed. I never received any kind of popup about MacKeeper, but instead downloaded it directly from the Mac app store thinking it would act like CC Cleaner did for Windows. The only thing wrong with it at first was a ton of ads, but it did seem to do what it said it would. When MalwareBytes turned up those files, (one of which was a "high risk security threat,") I started researching to see which program to believe. The first ten search results claimed that MacKeeper is a massive scam. Apparently it used to be a legit app designed by a company who didn't mind using insane numbers of popup ads to get downloads, and then it sold to a different company operated from the Eukrane who installs scare ware and makes money off the people who call the "Apple support number" on the screen. I never got anything like that, but it has been uninstalled. I am, however, still finding "MacKeeper backups" throughout my library and script folders... Definitely doing a restore as soon as I know I have everything of importance off of there!

#5 Question:

I've only been on the Mac OS for about a year now, and this is the first incident with anything beyond ad ware that I've had to deal with. Until then I did everything on Windows with Jaws and NVDA, and the one encounter with a Trojan I had with that caused me to be extremely paranoid about what I download. That Trojan, however, was WAY less destructive than this one seems to be. Since my only info about this thing comes from extensive googling, I'm just wondering if any of you know if it could/would spread through things like Dropbox files or wifi. I occasionally do school work on my Mac and share it with teachers through Dropbox, and I really have no desire to tell the school tech department that I infected their network with Malware... My mom also shares the same wifi router and works from home, so should she be concerned about this Malware, say, invading her computer and stealing info from her work server? If the answer to any of this is yes, suggestions for preventing it would be greatly appreciated! Thanks for all the help so far! :)

#6 Hi,

Hi,
Disable the wifi on your mac once you run Virus barrier. do a virus scan which can take a couple hours, do what it says, and quarantine/delete the files it says are infected. Run a malware bites again, and do what it tells you to do. Make sure that there are no infected files on your computer and reconnect to the wifi network.
That's all I can say, cause thats mainly what I do if I find infected files.

#7 Thanks so much!

Thanks so much! I have disabled wifi, and the scan is running.

#8 Intego

Hi,

Are all Intego products accessible with Voice Over?

#9 You do not know how lucky you

You do not know how lucky you are. I would report this to avast and AVG as this is what I use for my anti virus scanner on mac. Clamav used to be good until they started charging for it. No thanks. Wow!

#10 Definitely needs reporting!

I definitely think this thing needs to be reported to somebody! I just realized that the latest article I can find on a fake Flash installer is from August of this year. Pretty sure this is a new version of that, and I honestly don't think the scanners are picking up on it. My scans are coming back clear, but my Spotify app is still acting possessed. My TVI fell for the same kind of popup on her Windows laptop the same day I got it on my Mac and is now stuck with something called"Anonymizer" that can't seem to be deleted. I also know people who've seen it come up on Pandora and youTube. It seems to be targeting video and music services... I used AVG for a long time on Windows, so I'll see if I can find contact info for them. I didn't realize there was a Mac version of that either, but I'll download it and see if it turns up anything the others didn't.

#11 report to Spotify

Member of the AppleVis Editorial Team

One thing I would recommend is reporting this to Spotify, as you got the popup while using their app. I know they've had malware vulnerabilities with their apps in the past.

#12 Flash

Why are we still dealing with this inaccessible and insecure software? When will everyone learn that HTML 5 is the future?

#13 Agreed!

Didn't think about reporting to Spotify, but I'll do that now! I know my mom saw what she believes is the same thing on Pandora, so I'll let them know too. And agreed on the HTML5 front! That should've happened a while ago!