What you need to know about Flashback/SabPub
Before we start
Having spent some years coding applications for macOS, we’ve created a tool that everybody can use. The all-round problem fixer for Mac.
So here’s a tip for you: Download CleanMyMac to quickly solve some of the issues mentioned in this article. But to help you do it all by yourself, we’ve gathered our best ideas and solutions below.
Flashback is the name of a Mac Trojan discovered in 2011. It masqueraded as an update to Adobe Flash and persuaded users to download it in order to install the update. A later version of Flashback functioned as a ‘drive-by’ download, exploiting a vulnerability in Java to install itself.
How did Flashback work?
When a Mac user visited an infected website, the malicious code displayed a Java applet that downloaded itself to the Mac. Once downloaded, it installed itself and then presented a fake Software Update window in order to try and obtain the user’s admin password.
By April 2012, it was estimated that around 500,000 Macs had been infected. Shortly afterward, Apple issued several patches to Java to patch the vulnerability and repair the damage caused by Flashback. It also added a feature that disabled Java if it had not been used for the previous 30 days. The company also issued a standalone Flashback removal tool.
Apple stopped pre-installing Java with macOS and producing its own version of Java, meaning that any Mac users who wanted to install it had to download the latest version and keep it updated independently.
How did it affect Macs?
Once Flashback had exploited a vulnerable version of Java and infected a Mac, it inserted itself into Safari and started to harvest data from the user’s web browsing activity. This appeared to include usernames and passwords. These were then sent to a central server.
Am I at risk from Flashback?
Almost certainly not. Flashback was discovered in 2011. Apple patched its Java installation shortly afterward, and antivirus applications added it to their database. And Java is no longer pre-installed on Macs. If you’re worried or want to know how to remove Flashback or SabPub, you can use the Malware Removal tool in CleanMyMac X to check for it. CleanMyMac scans your Mac for malware, and if it finds any, the app allows you to remove it at the click of a button. You can download CleanMyMac X for free here.
What is SabPub?
SapPub was initially discovered in China and worked in much the same way as Flashback, downloading itself to users’ Macs either by using a phishing email or a ‘drive-by’ web attack. Once it had installed itself on a Mac, it connected to a ‘command and control’ server and downloaded additional components. Once it had done that, it could harvest keystrokes and personal data or even use the host computer as part of a botnet to attack other internet-connected computers.
Is it still a threat?
No. SapPub used the same exploit as Flashback, so it was no longer a threat once the Java vulnerability was patched. It doesn’t appear to have infected as many Macs as Flashback, perhaps because it appeared after Flashback and so was patched more quickly.
As with Flashback, if you’re worried about it or any other malware, you can use CleanMyMac X’s Malware Removal utility to scan your Mac.
The Flashback Trojan was notable for the sheer number of Macs that were infected. At its peak, it was estimated that some half a million Macs had been hit by the Trojan. Until then, it was widely believed that Macs weren’t susceptible to malware in the wild. Flashback and SapPub changed that view and made it clear that there were lots of ways in which Macs could be attacked. However, by regularly scanning your Mac with an antimalware tool, you can make sure your Mac is always safe.
