Should a Flash Player installer image ever appear automatically on my Mac?

I have noticed the same exact phenomenon with my 2011 MacBook Pro. It has happened sporadically in the last year or so. I'm very intrigued with the randomness and the length of time between each disk image appearance. It's also concerning that after 3 years there is no solution for this inquiry with multiple claims. It has just happened again to me.

I fell asleep at my desk and woke up to my MacBook Pro in sleep mode. I wake it up to the login screen and I was unable to input my password. It was like my keyboard was disconnected or something was slowing the keyboard input process. I tried 3 times and nothing appeared in the password box. I tried to switch users and had the same effect with the track pad. Then after trying to select various options I was able to get a flashing input for my password. I input my password and immediately after login the disk image window appeared with the flash player installer.

Executable=/Volumes/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager

Identifier=com.adobe.flashplayer.installmanager

Format=app bundle with Mach-O thin (i386)

CodeDirectory v=20200 size=1280 flags=0x0(none) hashes=56+3 location=embedded

Library validation warning=OS X SDK version before 10.9 does not support Library Validation

Signature size=8524

Authority=Developer ID Application: Adobe Systems, Inc.

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Timestamp=Apr 11, 2015, 9:03:21 PM

Info.plist entries=20

TeamIdentifier=JQ525L2MZD

Sealed Resources version=2 rules=12 files=37

Internal requirements count=1 size=196

I've been having this issue for about a month as well, but only on one of the two user accounts on my Mac. No matter how many times I trash the disk image (either in the Finder or Disk Util) it always returns after a logout or restart.

I've been getting the same problem for a couple of years. It just showed up today after coming out of sleep mode. It is the same burgundy colored installer that you guys have displayed here. I drilled into my system(with Whatsize) and found an installer deep in my system files. inside a folder called PKInstallSandboxManager-SystemSoftware. I made the mistake of trashing it and the folders containing it. It now sits permanently in my trash bin. I can neither delete it nor can I return it to its original location as the computer has rebuilt the system file.

Two thoughts

1) what type of license do you guys have. Individually purchased, CC subscription  or site license(like through a university) I'm just wondering if there is any correlation outside of Adobe. Are those having this issue only of a particular license type?

2)Mac Users Attacked Again by Fake Adobe Flash Update | The Mac Security Blog

Is piyush2508 still tracking this thread?

I've experienced exactly the same behavior multiple times over the years.  One characteristic that has not been mentioned here, is that the DMG file itself is hidden somewhere in the system.  All that is visible is the mounted disk image on the desktop.  Does that match the experience of other posters?

This is a crucial fact, because it make it impossible to follow piyush's recommendation to "unmount and remove this from your system".  Unmounting is easy enough, but I know of no way to locate the DMG file in order to delete it.

I just had 2 of these pop up today. One "Install Adobe Flash Player" and the other "Install Adobe Pepper Flash Player". Here's the Terminal info followed by screenshots.

Install Adobe Flash Player

Executable=/Volumes/Flash Player 1/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager

Identifier=com.adobe.flashplayer.installmanager

Format=app bundle with Mach-O thin (i386)

CodeDirectory v=20200 size=3680 flags=0x0(none) hashes=176+3 location=embedded

Signature size=8574

Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Timestamp=Apr 27, 2017, 12:02:51 AM

Info.plist entries=21

TeamIdentifier=JQ525L2MZD

Sealed Resources version=2 rules=12 files=38

Internal requirements count=1 size=196

Install Adobe Pepper Flash Player

Executable=/Volumes/Flash Player/Install Adobe Pepper Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager

Identifier=com.adobe.flashplayer.installmanager

Format=app bundle with Mach-O thin (i386)

CodeDirectory v=20200 size=3680 flags=0x0(none) hashes=176+3 location=embedded

Signature size=8573

Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Timestamp=Apr 27, 2017, 12:13:33 AM

Info.plist entries=21

TeamIdentifier=JQ525L2MZD

Sealed Resources version=2 rules=12 files=38

Internal requirements count=1 size=196

Happened to me today, same as described by others.

I noticed the app icon (within the mounted image) is just the generic white app icon, as shown in the screenshot below.

However the code signature looks OK:

Authority=Developer ID Application: Adobe Systems, Inc.
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jan 30, 2017, 3:34:07 PM
Info.plist entries=21
TeamIdentifier=JQ525L2MZD
...

Running 'hdiutil info' shows the DMG path and that it was mounted by the root (system) user:

image-path      : /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/decryptedFile.dmg
...
mounting user   : root

That whole folder (/var/folders/.../T) is owned by the root user, and its contents is listed below:

drwx------  2 root  wheel        68 Feb 13 09:54 .AddressBookLocks
drwx------  2 root  wheel        68 Feb 13 09:54 .CalendarLocks
drwxr-xr-x  2 root  wheel        68 Feb 14 23:57 FPInstallMountPoint
drwxr-xr-x  3 root  wheel       102 Feb 14 23:57 FPUnpackPath
drwxr-xr-x  2 root  wheel        68 Feb 14 23:57 PKInstallSandboxTrash
drwxr-xr-x  2 root  wheel        68 Feb 14 02:53 TemporaryItems
drwx------@ 2 root  wheel        68 Feb 13 09:54 com.apple.ctkd
drwxr-xr-x  2 root  wheel        68 Feb 13 09:54 com.apple.wdhelper
-rw-r--r--@ 1 root  wheel  18954147 Feb 14 23:57 decryptedFile.dmg
-rw-------  1 root  wheel       222 Feb 15 04:25 xcrun_db

Searching the web for "PKInstallSandbox" shows it's apparently part of the macOS system updater, which would suggest this may be a staging directory for a system auto-update.

It's conceivable that Apple has integrated a 'partial' auto-update system for Flash, that mounts the image, since its security updates are really important but not all users take the time to download it.

If that's the case, Adobe may not be aware of such a system; Apple should be contacted to find out if this is indeed an OS feature or not. For now I'm just going to unmount it.

I find it weird that there's be no accompanying notification/explanation for an unsolicited disk image.

I recently had this happen. An installer appeared on my desktop without warning. It happened once before and I trashed it but now I don't want to trash it until I know what caused it. "Get Info" doesn't reveal anything about the dmg and a quick spotlight search doesn't show me any dmgs that seem related to this.

I'm very confused where this came from. Any help on how to locate what created it? Adobe or Malware?

This is happening to me as well. I swear I saw it awhile back, 6 months ago, a year ago? But it has come back now.

It's not clear to me exactly how to gather the necessary info. If I can get it to appear again, exactly what should I do?

Thanks for your post. I have been experiencing this exact same problem.

I have

• Latest system 10.10.4, on a macbook pro 2011
• Latest versions of all adobe CC apps (but not all apps installed: Ps, Ai, Indd, acrobat and a few vide editing aps to name a few)
• Latest version of flash, installed from adobe website through their 1-2-3 step process only.
• Never downloaded Flash from any other source.

What i have to add is this:

This 'Shadow disk image' (or whatever it is), will appear randomly, but primarily after a system wake from sleep.

Sometimes MULTIPLE instances will appear on the desktop.

I have had this same behaviour on my work iMac (similar age as Macbook pro, similar specs,similar Adobe CC installation set)

I also think this is a rogue application/malware.

Next time i see it happen ill follow Pijyush's directions to post more relevant info, but thought it important to chime in here, cos i just noticed this weird disk image appear and again (i have yet to actually 'open' even the dmg that appears mounted on the desktop).

It happened just now, and this is why i googled, and found ONLY THIS ONE THREAD, related to the issue. so it seems it is not yet well known about.

Today 20/07/2015, I downloaded some update from adobe—illustrator.

finished my work, closed the laptop and left work.

Reopened the laptop a little later and find this disk image mounted on the desktop.

Trashed it

Thought this to be too common an occurance so decided to google.

Hi xmlilley,

Autoupdate or silent update functionality does not mount any DMG to proceed with the update process, Are you sure the DMG was not mounted manually? Yes, we had a release to provide a security fix on June 23rd.

Can you please perform the following steps to confirm if the Flash Player Installer popping up is legit and upload the screenshots(How to post a screenshot in the forum):

1. Press Spacebar on the 'Install Adobe Flash Player' app in the DMG to view the version which is trying to be installed. This version should be 18.0.0.194
2. Goto Spotlight --> Type Terminal, Press Enter --> inside Terminal type codesign -vvd and drag and drop the app on the terminal, so your query will be codesign -vvd <path to app>

--

Piyush