What you need to know about Flashback/SabPub

Flashback is the name of a Mac trojan discovered in 2011. It masqueraded as an update to Adobe Flash and persuaded users to download it in order to install the update. A later version of Flashback functioned as a ‘drive-by’ download, exploiting a vulnerability in Java to install itself.

How did Flashback work?

When a Mac user visited an infected website, the malicious code displayed a Java applet that downloaded itself to the Mac. Once downloaded, it installed itself and then presented a fake Software Update window in order to try and obtain the user’s admin password.

By April 2012, it was estimated that around 500,000 Macs had been infected. Shortly afterwards, Apple issued several patches to Java to patch the vulnerability and repair the damage caused by Flashback. It also added a feature that disabled Java if it had not been used for the previous 30 days. The company also issued a standalone Flashback removal tool.

Apple stopped pre-installing Java with macOS and it stopped producing its own version of Java, meaning that any Mac users who wanted to install it had to download the latest version and keep it updated independently.

How did it affect Macs?

Once Flashback had exploited a vulnerable version of Java and infected a Mac, it inserted itself into Safari and started to harvest data from the user’s web browsing activity. This appeared to include usernames and passwords. These were then sent to a central server.

Am I at risk from Flashback?

Almost certainly not. Flashback was discovered in 2011. Apple patched its Java installation shortly afterwards and antivirus applications added it to their database. And Java is no longer pre-installed on Macs. If you’re worried, or want to know how to remove Flashback or SabPub, you can use the malware tool in CleanMyMac X to check for it. CleanMyMac scans your Mac for malware and if it finds any allows you to remove it at the click of a button. You can download CleanMyMac X for free here.

What is SabPub?

SabPub was discovered by researchers at Kaspersky Lab in 2012. The researchers described it as a ‘custom OS X backdoor’ that used the same Java vulnerability as the Flashback Trojan.

SapPub was initially discovered in China and worked in much the same way as Flashback, downloading itself to users’ Macs either by using a phishing email or a ‘drive by’ web attack. Once it had installed itself on a Mac, it connected to a ‘command and control’ server and downloaded additional components. Once it had done that it could harvest keystrokes, personal data, or even use the host computer as part of a botnet to attack other internet-connected computers.

Is it still a threat?

No. SapPub used the same exploit as as Flashback and so was no longer a threat once the Java vulnerability was patched. It doesn’t appear to have infected as many Macs as Flashback, perhaps because it appeared after Flashback and so was patched more quickly.

As with Flashback, if you’re worried about it or any other malware, you can use CleanMyMac X’s malware utility to check.

Removing malware files

The Flashback trojan was notable for the sheer number of Macs that were infected. It its peak, it was estimated that some half a million Macs had been hit by the trojan. Until then, it was widely believed that Macs weren’t susceptible to malware in the wild. Flashback and SapPub changed that view and made it clear that there were lots of ways in which Macs could be attacked. However, by regularly scanning your Mac with an anti-malware tool, you can make sure your Mac is always safe.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.