Copy link to clipboard
Copied
I'm running Mac OS 10.10.3, Chrome 43, Safari 8.0.6. I have Creative Cloud installed, and have Acrobat Pro, PS, Illustrator and some other tools installed. (Recently updated those to CC 2015, but not until after this situation arose.)
Flash Player is installed. Flash Player Help says that I've got the latest on both Chrome and Safari. Which makes sense, as I had believed that Flash Player auto-updates itself. I have consciously permitted it to auto-update.
But, I know that the 'Flash Player' identity is often used to induce people to install software they shouldn't install. I had believed that most of those risks were related to web-pages prompting downloads.
And so, when a disk image recently appeared on my Mac, seemingly encouraging me to run the installer inside it, I'm worried, because it doesn't fit what I had heard about either safe or explicitly unsafe options. The disk image mounted itself without any involvement from me: I didn't request a download, and there were no dialogs asking if an update would be OK. It's called - logically enough - "Flash Player", and contains a file called "Install Adobe Flash Player". It first happened two weeks or so ago, and then again several days ago (June 24, my time). The first time, I simply closed the image. The second time, I grabbed a screen-capture at the time of what appeared:
So, is this a legitimate pattern, to have a .dmg appear like this? When Flash Player says it's going to 'auto-update' does that mean it's just going to dump a disk image into my machine and wait for me to do the work? Is this image possibly a side-effect of a healthy, normal update, and it simply didn't clean up after itself?
Now, I'm aware that there was recently a critical update to Flash Player. But, I seem to already have that latest, updated version already. Also, this first happened 2 weeks ago, then again. So, is this thing somehow part of the process of me getting normal updates, or... something else?
(Since this is a community forum, I'll be explicit: have you yourself, dear reader, seen this exact behavior, and do you know for a fact that it's part of an approved and safe distribution? Opinions are wonderful, but what I really need are facts. Thank you!)
Copy link to clipboard
Copied
Hi xmlilley,
Autoupdate or silent update functionality does not mount any DMG to proceed with the update process, Are you sure the DMG was not mounted manually? Yes, we had a release to provide a security fix on June 23rd.
Can you please perform the following steps to confirm if the Flash Player Installer popping up is legit and upload the screenshots(How to post a screenshot in the forum😞
--
Piyush
Copy link to clipboard
Copied
Everything *looks* correct. But, no, I didn't do anything remotely related to downloading a new Flash installer that would explain how it would have been manually mounted. Not even once, let alone twice.
Here's the 'GetInfo' on the installer:
And here's the terminal output:
Identifier=com.adobe.flashplayer.installmanager
Format=bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=1280 flags=0x0(none) hashes=56+3 location=embedded
Signature size=8524
Authority=Developer ID Application: Adobe Systems, Inc.
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 19, 2015, 12:48:46
Info.plist entries=20
TeamIdentifier=JQ525L2MZD
Sealed Resources version=2 rules=12 files=38
Internal requirements count=1 size=196
***********************************************
On the surface, everything looks resonable. Except for why the image is appearing automagically without any intervention. That's the one thing that worries me, unless there's some good reason why an image would be downloaded and mount that way. Repeatedly.
The one other thing that seems wrong is the branding. I just downloaded the official adobe installer and the Finder window for the mounted image looks like this, completely different from what I posted from the other image that mounted itself:
Copy link to clipboard
Copied
One conspicuous difference versus the official one I just downloaded is the file size: the installer on the one I downloaded (AdobeFlashPlayer_18_a_install.dmg) is 2.2MB. The mysterious one is 16.6MB.
Note, the odd file path in the 'GetInfo' image above is because I made a copy of the image, in case it disappeared, and did GetInfo on the copy. The original one disappeared after a restart, and there's no seemingly-related .dmg to be found.
Copy link to clipboard
Copied
The AdobeFlashPlayer_18_a_install.dmg is the official Online downloader which downloads and installs the Flash Player at runtime and the other one which is of ~17MB is our offline installer, but I am not sure weather this one has been downloaded from our webpages.
Can you also goto Flash Player Help‌ Page to confirm if the latest Flash Player of the version 18.0.0.194 is installed on your system. I don't know how but you also have an offline installer downloaded on you machine and have have mounted the DMG which will pop up every time you log off and log on. If you fee suspicious about the DMG please go ahead, unmount and move this one to trash.
--
Piyush
Copy link to clipboard
Copied
Thanks for your post. I have been experiencing this exact same problem.
I have
What i have to add is this:
This 'Shadow disk image' (or whatever it is), will appear randomly, but primarily after a system wake from sleep.
Sometimes MULTIPLE instances will appear on the desktop.
I have had this same behaviour on my work iMac (similar age as Macbook pro, similar specs,similar Adobe CC installation set)
I also think this is a rogue application/malware.
Next time i see it happen ill follow Pijyush's directions to post more relevant info, but thought it important to chime in here, cos i just noticed this weird disk image appear and again (i have yet to actually 'open' even the dmg that appears mounted on the desktop).
It happened just now, and this is why i googled, and found ONLY THIS ONE THREAD, related to the issue. so it seems it is not yet well known about.
Today 20/07/2015, I downloaded some update from adobe—illustrator.
finished my work, closed the laptop and left work.
Reopened the laptop a little later and find this disk image mounted on the desktop.
Trashed it
Thought this to be too common an occurance so decided to google.
Copy link to clipboard
Copied
Hi TAK‌,
The released version of Flash Player now is 18.0.0.203, if the build is older please unmount it and move it to trash.
Thanks
Piyush
Copy link to clipboard
Copied
Forgive me, Piyush. I'm grateful for your time and assistance, but I think you're missing the point by focusing on the version numbers...
You said earlier:
Autoupdate or silent update functionality does not mount any DMG to proceed with the update process
Yet, we've got mounted DMGs we're not requesting or interacting with, and which have some odd characteristics like unusual logos/branding. So, either:
We need to know which it is: #1, or #2?
Thank you for anything you can do to clear it up.
Copy link to clipboard
Copied
Exactly!
Copy link to clipboard
Copied
Yes, In silent and autoupdate no disk is mounted in mac. What my guess is may be the CC or Illustrator or any other product your are installing or updating is also updating Flash Player along the way but using our offline installer, but is not unmounted later(this time) on the basis of set up environment mentioned above, but I am not sure.
Regarding the Logo, Adobe has revamped itself in terms of branding in context of looks of all products, hence you will see the new dark maroon Flash Logo instead of the old red one, please verify the new logo from here --> (Adobe Flash Player Install for all versions‌)
If you see any thing else suspicious about the installer please report it.
At the end if you are not sure where this build came from please remove this installer from your system, As this mounted drive appears only if you are manually installing flash player using an offline installer.
It is sure this did not come from any Flash Player Update Channel unless someone manually downloaded and launched the offline installer, which you have not done. So Please unmount and remove this from your system.
Thanks
Piyush
Copy link to clipboard
Copied
Is there a link direct to the full 'offline installer' so that we could compare it to this one?
Copy link to clipboard
Copied
Follow the link in staff msg above: click install and you'll see the lates version number there: Version 18.0.0.203
Copy link to clipboard
Copied
HI xmlilley‌,
Please find the offline installers on page - Installation problems | Flash Player | Mac
Thanks
Piyush
Copy link to clipboard
Copied
This is happening to me as well. I swear I saw it awhile back, 6 months ago, a year ago? But it has come back now.
It's not clear to me exactly how to gather the necessary info. If I can get it to appear again, exactly what should I do?
Copy link to clipboard
Copied
I recently had this happen. An installer appeared on my desktop without warning. It happened once before and I trashed it but now I don't want to trash it until I know what caused it. "Get Info" doesn't reveal anything about the dmg and a quick spotlight search doesn't show me any dmgs that seem related to this.
I'm very confused where this came from. Any help on how to locate what created it? Adobe or Malware?
Copy link to clipboard
Copied
Happened to me today, same as described by others.
I noticed the app icon (within the mounted image) is just the generic white app icon, as shown in the screenshot below.
However the code signature looks OK:
Authority=Developer ID Application: Adobe Systems, Inc.
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jan 30, 2017, 3:34:07 PM
Info.plist entries=21
TeamIdentifier=JQ525L2MZD
...
Running 'hdiutil info' shows the DMG path and that it was mounted by the root (system) user:
image-path : /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/decryptedFile.dmg
...
mounting user : root
That whole folder (/var/folders/.../T) is owned by the root user, and its contents is listed below:
drwx------ 2 root wheel 68 Feb 13 09:54 .AddressBookLocks
drwx------ 2 root wheel 68 Feb 13 09:54 .CalendarLocks
drwxr-xr-x 2 root wheel 68 Feb 14 23:57 FPInstallMountPoint
drwxr-xr-x 3 root wheel 102 Feb 14 23:57 FPUnpackPath
drwxr-xr-x 2 root wheel 68 Feb 14 23:57 PKInstallSandboxTrash
drwxr-xr-x 2 root wheel 68 Feb 14 02:53 TemporaryItems
drwx------@ 2 root wheel 68 Feb 13 09:54 com.apple.ctkd
drwxr-xr-x 2 root wheel 68 Feb 13 09:54 com.apple.wdhelper
-rw-r--r--@ 1 root wheel 18954147 Feb 14 23:57 decryptedFile.dmg
-rw------- 1 root wheel 222 Feb 15 04:25 xcrun_db
Searching the web for "PKInstallSandbox" shows it's apparently part of the macOS system updater, which would suggest this may be a staging directory for a system auto-update.
It's conceivable that Apple has integrated a 'partial' auto-update system for Flash, that mounts the image, since its security updates are really important but not all users take the time to download it.
If that's the case, Adobe may not be aware of such a system; Apple should be contacted to find out if this is indeed an OS feature or not. For now I'm just going to unmount it.
I find it weird that there's be no accompanying notification/explanation for an unsolicited disk image.
Copy link to clipboard
Copied
I just had 2 of these pop up today. One "Install Adobe Flash Player" and the other "Install Adobe Pepper Flash Player". Here's the Terminal info followed by screenshots.
Install Adobe Flash Player
Executable=/Volumes/Flash Player 1/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager
Identifier=com.adobe.flashplayer.installmanager
Format=app bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=3680 flags=0x0(none) hashes=176+3 location=embedded
Signature size=8574
Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Apr 27, 2017, 12:02:51 AM
Info.plist entries=21
TeamIdentifier=JQ525L2MZD
Sealed Resources version=2 rules=12 files=38
Internal requirements count=1 size=196
Install Adobe Pepper Flash Player
Executable=/Volumes/Flash Player/Install Adobe Pepper Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager
Identifier=com.adobe.flashplayer.installmanager
Format=app bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=3680 flags=0x0(none) hashes=176+3 location=embedded
Signature size=8573
Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Apr 27, 2017, 12:13:33 AM
Info.plist entries=21
TeamIdentifier=JQ525L2MZD
Sealed Resources version=2 rules=12 files=38
Internal requirements count=1 size=196
Copy link to clipboard
Copied
This just happened to me, too.
Here's specifically what happened:
I was doing something on my MacBook completely unrelated to flash player. For some unknown reason, my computer froze (the clock stopped ticking; I don't remember what happened to the cursor).
The screen then switched to the login screen. It did not restart. I logged back in, and it started all my apps up from scratch.
At that point, on my desktop, appeared two disk images: "Install Adobe Flash Player" and "Install Adobe Pepper Flash Player."
I immediately suspected they were malware, so I ejected them. I then emptied my trash, and saw that two items were deleted therefrom. I didn't (unfortunately) examine said items, before deleting them, but I'm guessing they were the unmounted disk images.
I then opened system preferences, clicked on "flash player," and confirmed that my NPAPI and PPAPI plug-ins are up to date.
Copy link to clipboard
Copied
I just had this exact same situation. It was as if my MacBook crashed and went to the login screen. When it returned, this rogue Flash Player Installer disk image was mounted on the desktop. The only thing I had done out of the ordinary just prior was visit Fandango.com and RottenTomatoes.com. These sites seem to possibly be heavy with Flash content, perhaps this is related?
Copy link to clipboard
Copied
Is piyush2508 still tracking this thread?
I've experienced exactly the same behavior multiple times over the years. One characteristic that has not been mentioned here, is that the DMG file itself is hidden somewhere in the system. All that is visible is the mounted disk image on the desktop. Does that match the experience of other posters?
This is a crucial fact, because it make it impossible to follow piyush's recommendation to "unmount and remove this from your system". Unmounting is easy enough, but I know of no way to locate the DMG file in order to delete it.
Copy link to clipboard
Copied
Hi,
Unfortunately, we've not been able to reproduce this behaviour, as such, it makes it very difficult to investigate/troubleshoot.
Can you please do the following:
Thank you.
--
Maria
Copy link to clipboard
Copied
Hi,
I have also had this happen to me today: after logging in my iMac (macOS Sierra 10.12.6), I found two disk images mounted on my desktop named Flash Player.
The first contains an app called "Install Adobe Flash Player" and the second "Install Adobe Pepper Flash Player".
Here is the result of hdiutil info:
framework | : 444.50.16 |
driver | : 10.12v444.50.16 |
images | : 2 |
================================================
image-path | : /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/decryptedFile.dmg |
image-alias | : |
shadow-path | : <none> |
icon-path | : /System/Library/PrivateFrameworks/DiskImages.framework/Resources/CDiskImage.icns |
image-type | : UDIF compressé lecture seule (bzip2) |
system-image | : false |
blockcount | : 38904 |
blocksize | : 512 |
writeable | : false |
autodiskmount : TRUE
removable | : TRUE |
image-encrypted : false
mounting user : root
mounting mode : <unknown>
process ID | : 8565 |
/dev/disk4 Apple_partition_scheme
/dev/disk4s1 Apple_partition_map
/dev/disk4s2 Apple_HFS /Volumes/Flash Player 1
================================================
image-path | : /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/decryptedFile.dmg |
image-alias | : |
shadow-path | : <none> |
icon-path | : /System/Library/PrivateFrameworks/DiskImages.framework/Resources/CDiskImage.icns |
image-type | : UDIF compressé lecture seule (bzip2) |
system-image | : false |
blockcount | : 37880 |
blocksize | : 512 |
writeable | : false |
autodiskmount : TRUE
removable | : TRUE |
image-encrypted : false
mounting user : root
mounting mode : <unknown>
process ID | : 8664 |
/dev/disk5 Apple_partition_scheme
/dev/disk5s1 Apple_partition_map
/dev/disk5s2 Apple_HFS /Volumes/Flash Player
And here is the output of codesign -vvd on both apps:
Executable=/Volumes/Flash Player/Install Adobe Pepper Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager
Identifier=com.adobe.flashplayer.installmanager
Format=app bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=3660 flags=0x0(none) hashes=175+3 location=embedded
Signature size=8574
Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=20 oct. 2017 15:31:01
Info.plist entries=22
TeamIdentifier=JQ525L2MZD
Sealed Resources version=2 rules=12 files=38
Internal requirements count=1 size=196
Executable=/Volumes/Flash Player 1/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager
Identifier=com.adobe.flashplayer.installmanager
Format=app bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=3660 flags=0x0(none) hashes=175+3 location=embedded
Signature size=8574
Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=20 oct. 2017 14:42:02
Info.plist entries=22
TeamIdentifier=JQ525L2MZD
Sealed Resources version=2 rules=12 files=38
Internal requirements count=1 size=196
Copy link to clipboard
Copied
Thank you for the information. I've forwarded a query to the installer engineers.
Copy link to clipboard
Copied
Just happened to me as well.
I was booted to login screen, and when I re-logged in I saw two finder windows with a flash installer in each.
I also have Adobe Creative Cloud installed on my computer.
Copy link to clipboard
Copied
Thank you both for the additional information. Flash Player isn't included in CC subscription, so there is no connection there.