New Mac malware spreads disguised as Flash Player installer via Google search results

New Mac malware spreads disguised as Flash Player installer

Security experts at Intego are warning Apple Mac users of a new in-the-wild malware threat, which masquerades as an installer for Adobe Flash Player.

The malware, which Intego says appears to be a variant of OSX/Shlayer and OSX/Bundlore, was found hiding on webpages after searching Google for the “exact titles of YouTube videos”:

While searching Google for the exact titles of YouTube videos, Intego’s research team encountered Google search results that, when clicked, pass through multiple redirection sites and end up on a page that claims the visitor’s Flash Player is out of date, and displays deceptive warnings and fake dialog boxes to entice the victim to download a supposed Flash Player updater—which is, in fact, a Trojan horse.

Malicious flash download

Using the disguise of an Adobe Flash Player update is hardly new for malware, even on Apple Macs, but what is more unusual is how the malware attempts to hide its activities from both the computer user and security software.

Sign up to our free newsletter.
Security news, advice, and tips.

According to Intego’s chief security analyst Joshua Long, the bogus Flash installer app is in reality a bash shell script.

Malicious bash script

The malicious script spews out a password-protected .ZIP archive file, containing a malicious app that is installed in a hidden temporary folder. This app, in turn, downloads a legitimate installer for Flash Player digitally-signed by Adobe in an attempt to not arouse suspicion.

However, the malicious app also has the ability to download further malware and adware from command-and-control servers operated by whoever is orchestrating the attack.

Frankly, in the year 2020, you probably shouldn’t be installing any versions of Flash on your computer – whether they be legitimate or bogus. There are virtually no sites that still rely upon Flash, and even Adobe is keen for you to forget all about it.

Stop making life easy for cybercriminals. Ensure that you don’t have Adobe Flash lingering on any of your computers, and then you’ll know for certain that any prompts to update it can only be malicious. :)

And, of course, all Mac users should be running an up-to-date anti-virus program, and exercising caution about the software they install onto their computers.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.