(Credit: Bloomberg/Contributor via Getty Images)
Multiple cybersecurity firms reported this week that Google Search ads for what appears to be a Google authenticator actually lead to a download for "DeerStealer" malware. This authenticator was not made by Google, but by an unknown threat actor trying to swipe victims' personal information.
In this case, though, Google's ad settings helped make the fake ads look more convincing. The URL to the malware appeared as "https://www.google.com." Google's site also showed that the advertiser who posted the malware had their identity "verified by Google." The advertiser's location showed that they were based in the US, and the description snippet of the ad itself contained the text: "Official Website."
Unfortunately, this has happened before, as Malwarebytes points out with the convincing—but fake and malicious—Amazon ads that surfaced on Google Search last year.
It's unclear how Google verifies its ad information, including the advertiser's real name, location, and product authenticity before ads go live. Google says it uses a mix of human-conducted ad reviews and some automated checks to verify advertisers' identities. Google's website states that all ads are reviewed, typically within one business day. Somehow, this malicious ad passed Google's ad review process.
Clicking on the fake Google authenticator ad would result in multiple redirects, with the eventual destination taking victims to a web page posing as an official Google download page. The malware itself was uploaded to GitHub, which does not allow malware for malicious purposes, likely in an effort to further avoid detection. Malwarebytes's inspection of the code reveals Russian text, which suggests the malware distributor could be of Russian origin.
Cybersecurity firm AnyRun also found evidence of this malware this week, with over a dozen fake Google authenticator domains tied to DeerStealer malware. The firm also connected the malware to a Telegram bot account linked to a Russian name. The Telegram bot posts victims' data in Russian, as well.
Since Malwarebytes' report, Google says it's removed the malicious ads in question. "We prohibit ads that attempt to circumvent our enforcement by disguising the advertiser’s identity to deceive users and distribute malware," Google tells PCMag in a statement. "When we identify ads that violate our policies, we remove them and suspend the associated advertiser account as quickly as possible, as we did in this case."
Google says these malware attackers are creating thousands of accounts and deploying various manipulation techniques to evade detection. Google also said it removed over 3.4 billion ads and suspended 12.7 million advertiser accounts last year alone. Now, it's ramping up its efforts to fight what's often referred to as "malvertising," which has been on the rise.
Unfortunately, attackers posing as legitimate companies like Google, Amazon, or other well-known businesses remain an ongoing cybersecurity concern. Malware execution often requires tricking the user into trusting a site and downloading a malicious file, like the Android Trojan posing as a Google Chrome update uncovered earlier this year.
Over the years, a number of malicious apps have surfaced on Google's Play Store. A recent investigation flagged over 90 Android apps as containing malware, some of which were PDF or QR code reader apps.
Legitimate authenticator apps are out there, of course. Just be careful to always double-check the website's URL before downloading anything online, avoid links in unsolicited emails or texts, and consider installing malware protection software or a web browser extension that blocks ads and malicious downloads.