A flood of fake installers will really update Flash for you – but also install cryptocurrency mining malware

If you think that Flash, the once-popular web plugin, couldn’t die fast enough, even those annoying fake Flash installers riddled with malware aren’t going anywhere any time soon. In fact, they’re getting even sneakier.

New research out of Palo Alto Networks found a recent spike of fake Flash installers not only dropping cryptocurrency mining malware on vulnerable computers — but actually installing Flash while it’s there.

The researchers said that this new technique is a way to deceive the user by tricking them into thinking that it’s a legitimate Flash installer.

Once the installer opens, it quietly implants XMRig, an open source cryptocurrency miner that uses the computer’s processor and graphics card to start mining. All the generated funds are siphoned off to a Monero wallet — making it near impossible to trace. When the mining malware is implanted, the installer downloads a legitimate Flash installer from Adobe’s website and installs it.

Since March, the researchers found over a hundred fake Flash updaters alone.

It’s a little ironic that Flash, one of the buggiest plugins and most attack prone over the years, is still causing headaches. When Flash wasn’t used as a way to used as a way to push malware on users, hackers were imitating it and using the plugin as a springboard to launch their own fake attacks. Flash became so much of a problem that Google began sandboxing Flash (and other plugins) in Chrome almost a decade ago because Flash-based malware was so prevalent.

But since the rise of the more universally supported and easier to use HTML5, Flash use has rapidly been on the decline.

Adobe is set to retire Flash in 2020. Maybe at its demise, we’ll see fewer fake Flash installers too?