Cryptominers Hide Malware in Flash Updates

Adobe has vowed to stop updating Flash in 2020. That's good news--Flash is often responsible for slow load times, incompatibility with mobile browsers and serious vulnerabilities in otherwise secure PCs. Palo Alto Networks added yet another mark under that last issue by revealing that hackers are hiding cryptocurrency mining software in Flash updates so they can make money using other people's hardware.

Cryptocurrency mining's popularity exploded in 2017 when Ethereum's value skyrocketed. The rush to mine the nascent cryptocurrency had a significant effect on the graphics card market, inspired countless other companies to introduce their own "coins" and basically pushed cryptocurrency back into the public consciousness. With that rise in consumer interest, however, came more efforts to illicitly mine digital money.

These efforts aren't usually very sophisticated and can be easily detected. Palo Alto Networks discovered in August, however, that someone had found a way to hijack legitimate notifications about new versions of Flash to quietly install cryptocurrency mining software like XMRig. The attack also installed the Flash update, leading people to believe everything was hunky-dory even as their systems were being compromised.

(Image credit: Palo Alto Networks)

Cryptocurrency mining software can seriously affect a system's performance. That's why many serious miners use dedicated systems, or at the very least run the appropriate mining software when they aren't planning to use a system for anything else. Even if the software hidden in Flash updates is set to use as little resources as possible, however, the fact remains that someone is sacrificing the performance of their victim's PC so they can make money.

The blame here doesn't appear to lie entirely with Flash. Adobe could likely secure the installer better to prevent hijacking its notifications, but the attackers probably targeted Flash simply because it's so popular and is regularly updated. Pretty much everyone has to install Flash, and unless they get one of those notifications, they probably don't think about updating it. That makes it the perfect target for campaigns like this.

Palo Alto Networks said that "organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates." The company has, naturally, also updated its security products to prevent these attacks. In the meantime, Flash users will have to be a little more wary as they count down the days until Adobe lets them out of their misery by finally letting Flash go quietly into the night.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • rantoc
    Something Adobe not secure? Reeeeally *act shocked*
  • spdragoo
    Which is also one of the reasons why, when the notification pops up after logging onto my PC, instead of clicking that link I go directly to Adobe's site to check for a Flash update.
  • stdragon
    Friends don't let friends use Flash. HTML5 or bust!
  • I uninstalled Flash a long time ago. I didn't notice any difference browsing the web.
  • shrapnel_indie
    Pretty much everyone has to install Flash, and unless they get one of those notifications, they probably don't think about updating it. That makes it the perfect target for campaigns like this.

    Not so much anymore. Most modern browsers have dropped support for the add-on/plug-in model that Flash uses... So unless you've refused to update your browser.... I do suppose that IE can still be a huge culprit... and by extension Edge... or the myriad of small-time browsers out there that aren't paying as close attention to net/web security as they should... chances are you haven't been experiencing Flash in action.

    As to the notifications, it isn't hard to place ads into ad streams that mimic the update notifications either so you install their "alternative," (which can contain the questionable additions) or in some cases, just outright hit you with malware without any Flash update or "replacement."
  • stdragon
    Flash is dead. Those that continue to use it just aren't aware, and continue to use this vector for malware at their own peril!

    Yes, Flash is EVIL!!