Fake Flash: Attackers Targeting macOS Users with Malicious Updates

Steve Jobs famously hated Flash. If he were with us today he would really hate how malware authors are using fake Flash updates to victimize Mac users.

With Gatekeeper and Software Notarization, macOS makes it challenging for malicious actors to get malware installed on a Mac. But malware authors have always recognized security is only as strong as its weakest link; and that weak link is human.

Since Apple stopped supporting Adobe Flash last year, malware authors have rushed in to capitalize on this gap.  While this is not a new trick, it’s become a common infection vector, fooling users into downloading and installing fake Flash installers. These fake installers can house anything from adware to backdoors, such as Shlayer and Bundlore. Even though these installers are often digitally unsigned and require the user to manually bypass Gatekeeper, we see that users are willing to bypass the OS warnings and manually install these security risks.

In the example of fake Flash installers, our analysts have targeted generic behaviors such as impersonating an Adobe .dmg, as well as behaviors specific to the malware families hidden in the fake installers.

When detected, a notification will appear:

Additional details can be found in the Security History:

This is only one example of the power of behavioral protection on macOS. Symantec, as a division of Broadcom, first introduced behavioral protection technology on Windows. But it was redesigned for macOS, using file and process attributes as well as events that are specific for the Mac. It even supports the new M1 based Macs. And it’s effective at catching unknown threats. Our teams of security analysts are continuously researching the latest threats targeting macOS and providing new behavioral protection rules through Live Update.

Symantec is focused on protection across all customer platforms. For Mac, we continue to innovate new technologies specific to macOS, as well as port and re-engineer technologies proven in Windows.

We have recently released the Endpoint Protection 14.3 RU2, which includes native support for devices with the Apple M1 chipset.

The major benefit to native Apple Silicon support is we do not rely on Rosetta2 as many other companies do. There is an emulation penalty for the translation. As a native Apple Silicon application we will get the full benefit of the enhanced performance of the M1. The complete details on the release can be found here for you to read now.