Its report claims that about 600,000 Macs have installed the malware - potentially allowing them to be hijacked and used as a "botnet".
The firm, Dr Web, says that more than half that number are based in the US.
Apple has released a security update, but users who have not installed the patch remain exposed.
Flashback was first detected last September when anti-virus researchers flagged up software masquerading itself as a Flash Player update. Once downloaded it deactivated some of the computer's security software.
Later versions of the malware exploited weaknesses in the Java programming language to allow the code to be installed from bogus sites without the user's permission.