A new attack against Apple Mac OS X Lion (10.7) has been detected by Intego. The threat is a Trojan, dubbed Flashback, installed via a fake Adobe Flash installer downloaded from a third party site.
As with the MacDefender and Revir malware, the Flashback attack uses social engineering to entice the user to download then install the malware. The malware is hosted on a site that prompts the user to install Flash in order to view content. The user must elect to install the “Flash” software, then walk through a complete standard installation process for the malware to function.
The malware presents a standard and professional looking installer screen to create a backdoor via a dynamic library called Preferences.dylib. Once installed, Intego indicates that the malware uses RC4 encryption for communications to a remote server, and transmits data such as the users MAC address, OS version, UUID, and more. The malware can also potentially be used to allow the malware author to inject code into the target Mac.
Flashback can not install by itself without user intervention and as of this writing the distribution is extremely small, so the threat posed by the malware is very low.
While this particular malware is not a major threat, it is a reminder that users should follow the best practices of:
Author ESET Research, ESET