A Russian-backed bit of malware called Snake has been ported to macOS, according to security blog Fox-IT (via Malwarebytes Labs). Snake is a trojan disguised to look like a Flash installer, and it’s been around on Windows since 2008 and Linux since 2014.
Snake Trojan on macOS
While malware, Snake is technically a Trojan, so it relies on tricking the user into installing it with their own password. It’s in the wild in a file named Install Adobe Flash Player.app.zip. The Snake Trojan on macOS installer is signed by a (currently) legit developer certificate issued to a “Addy Symonds.”
It’s not known at this point how Snake is spread, although the fact that it imitates an Adobe Flash Player installer suggests a not-very-sophisticated method. (I mean, come on, there are other pieces of software out there! Why are the bad guys so hung up on Flash installers?)
To Malwarebytes’ point, any user sophisticated enough to look for the name on the certificate isn’t likely to either fall victim to the Trojan or fooled by that name. Everyone else, however, won’t bother looking and could fall for the Trojan.
For funsies, Snake Trojan on macOS does actually install Flash. But, it delivers a payload of malware that will give the Russians control over your Mac. Which is something you probably want to avoid.
You can read up on the details of what Snake does at Malwarebytes. Our advice, though, is to not install Flash. If you MUST install Flash, get it directly from Adobe every single time.