FlutterShell Backdoor (Mac)

What kind of malware is FlutterShell?

FlutterShell is a backdoor targeting macOS users. It is delivered inside fake-but-working Mac apps (a podcast player and PDF viewers) and gives attackers remote control of an infected Mac through a hidden browser window. Researchers at Palo Alto Networks Unit 42 documented the malware as part of a campaign they call Operation FlutterBridge, run by a financially motivated group tracked as CL-CRI-1089.

If FlutterShell is present on a Mac, it should be removed as soon as possible.

FlutterShell backdoor for Mac

FlutterShell overview

FlutterShell is built with the Flutter framework and is bundled inside Mac applications that look and behave like normal software. Variants seen so far are signed with valid Apple Developer IDs and have passed Apple notarization, which allows them to install and run on macOS without the usual "unidentified developer" warnings.

Once launched, the app starts a hidden WebView that loads a page on the attacker's server. That page contains JavaScript code which talks to the app through a "JavaScript-to-native" bridge. In plain terms, the real malicious logic lives on the attacker's website, not inside the app on disk. The operator can change what the backdoor does at any time without releasing a new version.

To slow down analysis, FlutterShell first asks the server how long to wait before contacting it again. The delay is typically between 10 and 20 minutes, so security tools that only watch a sample for a short time may see nothing suspicious.

FlutterShell capabilities

Through the bridge, the attacker can issue commands that the app then performs on the Mac. According to Unit 42's analysis, FlutterShell supports running arbitrary shell commands, reading and writing files, listing the contents of folders, checking whether a file exists, and accessing the user's home folder. It can also read environment variables, which on developer machines often contain API keys and tokens for cloud services.

The malware can resize or close its own WebView window, helping it stay out of sight while it works in the background. Newer variants have renamed their commands to look like ordinary PDF features (for example, the "run command" function was renamed to renderPDF) so that simple inspection of the app does not reveal anything suspicious.

Browser hijacking and Chrome search redirect

Alongside its backdoor role, FlutterShell behaves like adware. It collects a unique identifier for the Mac using the ioreg command and then targets Google Chrome's "Secure Preferences" file. It edits the default search provider entry so that searches are redirected to an attacker-controlled site, sinterfumesco[.]com, which then funnels the user through ad-filled pages.

To force the change to take effect, the malware kills the running Chrome process and relaunches it with the --restore-last-session flag so the user does not notice the browser was restarted.

Silent self-updates

FlutterShell abuses Sparkle, a popular update framework for Mac apps, to update itself without asking. Instead of showing the normal approval dialog, it programmatically opens the staged app bundle and immediately quits, so a new version can replace the old one quietly.

Threat Summary:
Name	FlutterShell backdoor malware
Threat Type	Backdoor, Mac malware, Mac virus
Detection Names	Avast (MacOS:Agent-BLM [Trj]), AVG (MacOS:Agent-BLM [Trj]), ESET-NOD32 (OSX/FlutterShell.B Trojan), Kaspersky (UDS:Trojan.OSX.FlutterShell.gen), Symantec (OSX.Trojan.Gen), Full List (VirusTotal)
Symptoms	Backdoors are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. Chrome searches may be redirected to unfamiliar pages.
Distribution Methods	Malicious advertising on search engines, fake software download pages (podcast players, PDF viewers), signed and notarized Mac applications.
Damage	Stolen credentials and API keys, identity theft, account hijacking, full system compromise, hijacked browser searches, additional infections.
Malware Removal (Windows)	To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. Download Combo Cleaner To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Conclusion

FlutterShell is dangerous because it looks like a regular Mac app, carries a valid Apple signature, and keeps its real logic on a server the attackers can rewrite at any moment. A single victim can lose passwords saved in their browser, developer secrets stored as environment variables, and control of their search results, while additional payloads can be pushed at any time. If there are signs that a Mac is infected with FlutterShell, the malware should be removed immediately.

More examples of malware targeting macOS are MiniRAT, notnullOSX, and DigitStealer.

How did FlutterShell infiltrate my device?

Operation FlutterBridge relies on malicious advertising (malvertising) on search engines. According to Unit 42, the operators set up shell companies in Ukraine and the United Kingdom, used them to create verified Google Ads accounts, and bought ads that pointed to fake landing pages for podcast and PDF-viewer apps. Victims who searched for a podcast player or a PDF tool clicked the top ad and downloaded what looked like a normal Mac application.

Three variants have been observed so far, disguised as PodcastsLounge, PDF-Brain, and PDF-Ninja. Each one actually works as advertised, which is part of the trick: the user gets a functioning app and has no reason to suspect that the same app is also opening a hidden backdoor in the background.

More generally, Mac malware is also spread through trojans, drive-by downloads, untrustworthy download sources (free file-hosting sites, Peer-to-Peer networks), pirated content, illegal software activation tools ("cracks"), fake updates, and malicious attachments or links in spam mail.

How to avoid installation of malware?

Be careful with sponsored search results and ads, even when they appear at the very top of the page and link to apps that seem legitimate. Download Mac software only from the Mac App Store or the official site of the actual developer. A valid Apple signature alone is not proof that an app is safe, since notarized installers have been used to spread malware in the past.

Keep macOS and installed applications up to date, ignore unexpected emails, links, and attachments, and avoid pirated software and "cracks". If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate all threats.

FlutterShell disguising as PDF Viewer (source: unit42.paloaltonetworks.com):

FlutterShell disguising as PDF Viewer

FlutterShell disguising as Podcast Lounge (source: unit42.paloaltonetworks.com):

FlutterShell disguising as Podcast Lounge

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

DOWNLOAD Combo Cleaner

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

What is FlutterShell?
Remove FlutterShell related files and folders from OSX.

Unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Manual removal of malicious Mac applications

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

DOWNLOAD remover for malware infections

Combo Cleaner checks if your computer is infected with malware. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Frequently Asked Questions (FAQ)

My computer is infected with FlutterShell malware, should I format my storage device to get rid of it?

A full reformat will remove FlutterShell, but it will also erase everything on the Mac. Before going that far, try a trusted security tool like Combo Cleaner first.

What are the biggest issues that FlutterShell malware can cause?

FlutterShell can let attackers run any command on the Mac, read or write files, and harvest developer secrets such as API keys stored in environment variables. It also hijacks Chrome's default search engine. The end result can be stolen accounts, lost money, hijacked online services, and further infections.

What is the purpose of FlutterShell malware?

The purpose of FlutterShell is to give the attackers ongoing, flexible control over infected Macs while also generating revenue through hijacked browser searches. The logic running on the attackers' server can be changed at any time, so the same infection can be used for data theft today and a different goal tomorrow.

How did FlutterShell malware infiltrate my computer?

FlutterShell was spread through malicious Google Ads that promoted fake but working Mac apps, including a podcast player called PodcastsLounge and PDF viewers named PDF-Brain and PDF-Ninja. The installers were signed with valid Apple Developer IDs and passed Apple notarization, so they installed without the usual warnings.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove a wide range of threats, including stealthy Mac backdoors. Because advanced malware like FlutterShell can hide deep within the system, running a full system scan is strongly recommended.