Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware.

For years, malicious advertising (malvertising) campaigns have targeted the Google search platform, where threat actors place ads to impersonate well-known software sites that install malware on visitors’ devices.

To make matters worse, threat actors have been able to create Google search ads that show legitimate domains, which adds a sense of trust to the advertisement.

In a new malvertising campaign found by Malwarebytes, threat actors created ads that display an advertisement for Google Authenticator when users search for the software in Google search.

What makes the ad more convincing is that it shows ‘google.com’ and “https://www.google.com” as the click URL, which clearly should not be allowed when a third party creates the advertisement.

We have seen this very effective URL cloaking strategy in past malvertising campaigns, including for KeePass, Arc browser, YouTube, and Amazon. Still, Google continues to fail to detect when these imposter ads are created.

Malwarebytes noted that the advertiser’s identity is verified by Google, showing another weakness in the ad platform that threat actors abuse.

When contacted about this malvertising campaign, Google told BleepingComputer that they blocked the fake advertiser reported by Malwarebytes.

When asked how threat actors can take out ads impersonating legitimate companies, Google said that threat actors are evading detection by creating thousands of accounts simultaneously and using text manipulation and cloaking to show reviewers and automated systems different websites than a regular visitor would see.

However, the company is increasing the scale of its automated systems and human reviewers to help detect and remove these malicious campaigns. These efforts allowed them to remove 3.4 billion ads, restrict over 5.7 billion ads, and suspend over 5.6 million advertiser accounts in 2023.

Fake Google authenticator sites

Clicking on the fake Google Authenticator ads take the visitor through a series of redirections to the landing page at “chromeweb-authenticators.com,” which impersonates a genuine Google portal.

Malware analysis sandbox firm ANY.RUN also observed this campaign, sharing additional landing pages from this campaign on X. These include similarly named domains, like authenticcator-descktop[.]com, chromstore-authentificator[.]com, and authentificator-gogle[.]com.

Clicking on the ‘Download Authenticator’ button on the fake sites triggers a download of a signed executable named “Authenticator.exe” [VirusTotal] hosted on GitHub. 

The GitHub repository hosting the malware is named ‘authgg’ and the repo owners as ‘authe-gogle,’ both resembling names associated with the campaign’s theme.

The sample Malwarebytes downloaded is signed by ‘Songyuan Meiying Electronic Products Co., Ltd.’ one day before the download, but ANY.RUN previously got a payload signed by ‘Reedcode Ltd.’

The valid signature gives the file credibility on Windows, potentially bypassing security solutions and allowing it to run on the victim’s device without warnings.

When the download is executed, it will launch the DeerStealer information-stealing malware, which steals credentials, cookies, and other information stored in your web browser.

Users looking to download software are recommended to avoid clicking on promoted results on Google Search, use an ad blocker, or bookmark the URLs of software projects they typically use.

Before downloading a file, ensure that the URL you’re on corresponds to the project’s official domain. Also, always scan downloaded files with an up-to-date AV tool before executing.