Quick question concerning malicious flash player.dmg files….
I was on news sites (on the likes of CNN, BBC, etc.,) the other night when suddenly my tab automatically opened a new tab with a long string of non-sensical url, and started automatically downloading a flashplayer.dmg file to my downloads folder. I double clicked on the file to see what it was: just an image of what seemed to be the Flash Player logo. I didn’t install it, and instead after reading online that this was malware I closed the file, deleted the file, ejected it from my desktop, and cleared out my trash can.
My question is whether there was any harm/possible consequences in double-clicking the file? Or would I have had to actually install the file for anything bad to come out of this?
Best Answer
There are occasionally programs that exploit a bug in the OS to infect your macOS without typing an admin password, and those generally are patched quickly and depend on you not having the current latest security updates installed.
Most run of the mill software won’t cause any harm, run any code, make any changes just because you downloaded a DMG.
If you are super at risk of harm due to malware (human rights worker, journalist (especially one critical of the following powerful groups), a potential target of a nation state or large corporation, or just a public figure - think globally recognized celebrity like Beyoncé) you should assume you’re compromised and seek professional help to be sure you’re secure or educated about your risk tolerance and operational security practices.
Most people like me and my family, relatives, work colleagues that aren’t involved in super secret work - I would say if you didn’t install anything and you don’t see anything going crazy like browser redirects then you could safely trash the file and perhaps be sure Safari doesn’t open “safe” attachments and be sure your backups are set.
If a regular security posture user wants to check that malware was installed, I like both a scanner for known attacks and something that looks for persistent processes being hidden.
So to summarize, just clicking is enough to compromise a Mac with the right malware and the right version of macOS. Even if you have a fully patched Mac - the term “zero-day” acknowledges that there are exploits that have no warning and nothing you can do to prevent them from escalating their privileges and changing your Mac without a password entered. They are rare, but do exist in practice as well as in theory.