After-Death Adobe Flash Player Distributes Adware in China

After-Death Adobe Flash Player Distributes Adware in China

Minerva Labs’ researchers received multiple alerts of a suspicious code unpacking from an executable named FlashHelperService.exe and showing popups, says a report published by ZDNet.

Security researchers determined it was a Chinese version of Adobe Flash player app behaving like adware and opening browser windows with ads.

Although the Flash Player app has been formally phased out on December 31, 2020, Adobe gave special permission to a Chinese company to continue distributing Flash inside China. The local IT ecosystem still relies heavily on the Adobe application and is widely used in both the public and private sectors.

The Chinese version of the Flash Player is available only on The website belongs to Zhong Cheng Network, the entity authorized by Adobe to distribute Flash in China.

In the subsequent analysis, Minerva Labs’ researchers found that the app, besides installing a benign version of Flash, also executed additional payloads.

The app downloaded and ran a file nt.dll that loaded in the FlashHelperService.exe process. This opened a new browser window showing various ad- and popup-heavy sites at regular intervals.

Users complained about Flash showing ads on several local blogs, Adobe support forum, and in many other places.

Notably, one user complained, “Your good company authorised Zhong Cheng Network (“this company”) to distribute Flash Player and provide customer service support in mailand China. But this company implanted Trojain Virus into Flash player and force user to install annother software which often popup and collect user information without user permission. Users cannot uninstall this popup software and cannot use a clean Flash Player. Please do withdraw authorisation from this company, and select a trustable distributor in China.”

More alarms started to come from other security researchers and teams who noticed suspicious activity on the part of FlashHelperService.exe. One of them was Cisco Talos, one of the largest commercial cybersecurity firms in the world.

It’s worth mentioning this particular threat doesn’t impact users in the West because a Flash version they would download from won’t work outside China.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.