Adobe Flash has long been a prime target for hackers and malware developers. The virtually ubiquitous app seems to have plenty of weaknesses, and presents attackers with an appealing method of exploiting and compromising victims. Currently, both the traditional Adobe Flash, and the Adobe Flash for Android mobile app have caught the attention of attackers.
Adobe Flash is a staple of Web browsing, and is essentially a de facto app installed on just about every Windows, Mac, and Linux PC. The mobile app has been a source of controversy between Apple and Adobe—famously excluded from Apple’s iOS mobile platform—however, Flash was trumpeted as a key selling point for rival Android devices.
Adobe released a new version of the traditional Flash software recently as a part of its regular quarterly update schedule. The update addressed security vulnerabilities in the software, but attackers still found holes to work with and Adobe quickly released yet another update for Flash a week later.
The current attacks against Flash involve a malicious Microsoft Word file attachment, which targets the ActiveX control for Flash in the Internet Explorer Web browser. Users should update to the most current version of Flash to guard against this threat, and both consumers and individuals should take advantage of the automatic updates feature in Adobe Flash to make sure the most recent updates are always installed.
On the mobile side, Flash may have been a good marketing tool as a knife to twist with customers weighing a decision between the two platforms, but the appeal quickly waned. Flash Mobile has been buggy, and performance has been flaky since its inception. Adobe recently announced it will no longer support Flash for Android, and the app was pulled from the official Google Play store.
The problem for users is that Adobe may not be supporting Flash for Android any longer, but that doesn’t mean there aren’t versions available out there somewhere. One of the benefits of Android for many users is its openness, and the fact that apps can be downloaded from a diverse array of third-party sites outside of the official Google Play store.
Attackers know this as well, though, and take advantage of it. Preying on the popularity and demand for Adobe Flash, and the naiveté of average users, attackers have unleashed an avalanche of rogue and malicious apps that appear to be Flash or some suitable equivalent.
Some of the fake Flash apps are more nuisance than threat—opening an app filled with ads, or redirecting users to a website with ads. Apps like these generate money for the attackers by surreptitiously forcing people to the ad sites, which in turn pay the attackers for the traffic. Some of the fake Flash apps are more insidious, though—Trojan horse attacks that seem to be Flash but instead install malicious apps.
While it may seem like Adobe Flash itself is the problem, that isn’t entirely the case. No software is perfect, and Adobe became a popular target more as a function of its success than its weaknesses—the fact that it is available on almost every platform and device makes it a sort of Holy Grail for attackers.
The lesson to take away, though, is not to avoid Adobe Flash. The lesson is that attackers are clever and will find ways to exploit popular third-party applications to circumvent security controls. You need to have a strong cross-device security solution to detect and block threats like these, and protect you from attacks.