Fake Adobe Flash Installers Come With a Little Malware Bonus

The good news: A recent scourge of fake Adobe installers really does provide an update to the latest version of Flash. The bad news: It places cryptomining malware on your machine too.

The hack

Researchers at Palo Alto Networks warned this week of the latest evolution in both cryptojacking and fake Flash updates—two popular forms of cyber malfeasance united in one unpleasant parcel. Over the past several months, the researchers have found 113 of these fake updaters, which deposit a cryptocurrency miner called XMRig on the affected device.

Once in place, XMRig works quietly in the background, leeching your computer’s resources to generate Monero, a popular privacy-focused cryptocurrency. What makes this attack especially curious, though, is that it bothers to place the actual Flash update on the device as well. Which is considerate, but also just plain practical, from a cryptojacking perspective.

“It’s likely to make the user think that nothing had gone wrong,” says Ryan Olson, vice president of threat intelligence at Palo Alto Networks’ Unit 42. “Performing the update, and making the user think nothing bad had happened, goes hand in hand with the cryptomining business model. With an attack like ransomware, you’re going to be in the user’s face. Within a few minutes, you’re going to have their files, you’re going to have a pop-up saying, ‘Hey, I stole your data, you need to pay me money.’ But with cryptomining, you want that computer to keep running your software as long as possible.”

Think of it like a parasite that needs to keep its host alive. Gross! Palo Alto Networks says that victims, in this case, were tricked into clicking a phony URL; your best bet to stay safe may be, as always, to mind your browsing.

Who’s affected?

It’s unclear how many users were affected by this particular effort. Beyond the 113 instances Palo Alto Networks found, Olson says they don’t know how many people globally might have encountered or run the impostor installers.

Cryptojacking generally has become quite a scourge. It has run rampant on all corners of the internet, threatening even critical infrastructure. Recent research suggested that $250,000 of Monero was generated by cryptomining software Cornhive alone.

Not all cryptomining necessarily comes with bad intentions; some sites have deployed it as a way to generate revenue. But instances of voluntary cryptomining pale in comparison to the covert sort that chews up CPU power—like the kind Palo Alto Networks discovered.

How serious is this?

Without knowing how many people were fooled, it’s hard to quantify the impact. It is serious in that it’s an extension of the broader trend of cryptojacking, which doesn’t seem to be abating. And if you’re someone who was affected by this, your computer is likely taking a pretty serious performance hit right now.

In the broader scheme of things, though? Not that serious. In fact, given how buggy and vulnerability-ridden Flash has been for, well, years, the fact that this fake installer actually keeps it up to date is about as big a silver lining as we’re going to get.


More Great WIRED Stories