Fake Google Authenticator Ads Spread Malware Through Google Search
Cybersecurity researchers at Malwarebytes Labs have uncovered a malicious campaign where threat actors impersonate Google to spread malware through fake ads for Google Authenticator.
The ads, which appeared in Google Search results, led unsuspecting users to a fraudulent website mimicking the official Google Authenticator download page. Once on the site, victims were tricked into downloading a malicious executable file disguised as the legitimate app. This malware, identified as DeerStealer, is designed to steal personal data, including passwords and other sensitive information.
Image: Malwarebytes Labs
The core issue lies in ads that mimic official vendors, exploiting Google’s ad verification process. In this case, the ad for Authenticator was linked to a fraudulent site, chromeweb-authenticators[.]com, registered by NICENIC INTERNATIONAL GROUP CO., LIMITED, on the same day the ad appeared.
The decoy website’s source code revealed the mechanism for downloading a malicious executable, Authenticator.exe, from GitHub. The threat actor leveraged GitHub, a trusted cloud resource, to host the file, making it less likely to be blocked by conventional security measures. The file was uploaded by a user with the handle authe-gogle in a repository named authgg.
Image: Malwarebytes Labs
Further investigation showed that the executable was digitally signed by “Songyuan Meiying Electronic Products Co., Ltd.” just a day before the attack was discovered, with the signature still valid at the time of the report.
The downloaded malware, identified as DeerStealer, is a type of stealer that exfiltrates personal data to an attacker-controlled website hosted at vaniloin[.]fun. This kind of malware is particularly dangerous as it can siphon sensitive information, leading to severe privacy breaches and financial losses.
To protect yourself from falling victim to fake ads, Malwarebytes Labs recommends the following:
- Be cautious of ads in search results: Avoid clicking on ads for software downloads. Instead, visit the official website or app store directly.
- Double-check URLs: Before clicking on any link, ensure the URL is legitimate and belongs to the official website.
- Use antivirus software: Keep your antivirus software up to date and run regular scans to detect and remove malware.
- Enable MFA: Use multi-factor authentication whenever possible to add an extra layer of security to your online accounts.
