Perhaps the most common way Trojan spreads malware spreads on Mac are disguised as updates to Adobe Flash (a software you should never have on your computer today and which Adobe should soon completely shut down).
Security researcher at Intego has discovered a new trojan that reuses code snippets from various older variants and spreads in this particular way. They found it through regular Google searches. But the new variant, which is classified by Intego as a new unique variant of the OSX / Shlayer trojan, has an “innovative” trick to trick the victim into installing the program.
If you double-click an unsigned program in Mac OS Catalina, you only receive an error message and cannot proceed. To force such a program to start, you have to ctrl / right-click it and select Open from the context menu.
The new Trojan tries to circumvent this by simply urging the one who downloaded and opened the dmg file to do just that.
The “installer” that is then running is actually a bash script that unpacks an encrypted zip file with a regular Mac program that in this way can run Mac OS Gatekeeper function and run without warning. The program runs automatically and downloads a genuine version of Adobe Flash so that the results look like you were not affected by any malware at all.
In the background, however, the Trojan runs on and can install any other malicious code that the developers have placed on the control server the program contacts.