Hackers are using Google Ads for well-known apps to spread malware

Patrick Devaney
Dec 30, 2022

In many ways, ads are a frustrating part of the internet’s current primary business operating model. However, beyond the annoying pop-ups and the industrial-scale collection of your personal and private data, there may be more direct threats lurking in the ads you are seeing pop up on the internet sites you visit.

Hackers are using Google ads for well-known apps to spread malware

It has been observed that malware operators have been taking advantage of the Google Ads platform to spread malware to users who are looking for popular software products. A report by Guardio Labs has uncovered what the researchers are calling “MasquerAds”, which are targeting organizations, GPUs, and Crypto Wallets.

The campaigns often involve impersonating products such as Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, ?Torrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

The Google Ads platform allows advertisers to promote their pages on Google Search, placing them near the top of the results list as advertisements that look like search results. This can lead to situations where users searching for legitimate software may see the promoted page before they see the official website of the project. Since these promoted pages are designed to look similar to actual search results, users may be more likely to click on them without realizing that they are advertisements.

The malicious actors behind the campaigns create fake versions of the official websites for the products they are targeting and then distribute trojanized versions of the software when users click the download button. Some of the malware sent through these campaigns includes variants of Raccoon Stealer, a customized version of the Vidar Stealer, and the IcedID malware loader.

If this sounds like something you would expect the Google Ads platform to detect and block you would be right, but the scammers are using tricks to get around the Google Ads detection measures. The main method, according to Guardio Labs is to have the ads take users to an ordinary-looking site that is free of infectious elements. However, as soon as the victims land on these extra sites, they are automatically redirected to the malicious sites that are built to look as much like the true site for the well-known product or service as possible.

There are several ways to try and keep yourself safe from these types of scams. The first is to familiarize yourself with the types of warning signs you will see when you are looking at a phishing scam or fake link. This anti-phishing infographic will help you with that. Another thing you can do is install an Ad Blocker as it will filter out the promoted links from appearing at the top of your searches.

Hackers are using Google ads for well-known apps to spread malware
Article Name
Hackers are using Google ads for well-known apps to spread malware
Cybersecurity researchers have uncovered a new type of phishing and malware delivery campaign called MasquerAds, which use Google Ads to trick users and potential victims.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. FreeBSD Usr said on December 31, 2022 at 3:52 am

    Hackers? HUH!? wasn’t it hackers that build the InterNet? And makes SoftWare better?
    Isn’t it hackers, that love technology?

    Well a REAL Hacker, is someone that’s going to have full respect for technology. Not some snot noise kid/s that going to use their know how to attack someone. It makes me so upset reading about how some people place the name “Hacker/s” and give them a bad name. LORT~!
    Go and learn what a real hacker is and does!

  2. 11r20 said on December 30, 2022 at 10:29 pm

    I don’t use Google and block a lot of
    of Google-Scripts and IP’s.

    Google = Mountain-View-Marxists, could secure their own advertising-platform just as easily as we can block malware, masquerading as legitimate advertisement.

    IMO, Google/5-eyes/Intel-Agencies/woke-corporations are waging war against the sheeple on a global scale.

  3. Croatoan said on December 30, 2022 at 8:17 pm

    That’s why best protection for people is adblocker.

  4. Mothy said on December 30, 2022 at 1:13 pm

    Similar issues have happened in the past and why I have used a blocking hosts file for over 10+ years (initially MVPS but last few years Steven Black). It not only blocks ad networks, including Google’s, but also known malicious websites at the operating system level so all applications are protected not just a web browser. An ad blocker in the web browser provides additional protection or a primary means of protection if not using a blocking hosts file. It also has easier built-in options to allow some ad networks if you wish than having to edit the hosts file (and flush DNS cache).

  5. Anonymous said on December 30, 2022 at 11:32 am

    Another reason to use an ad blocker as a security measure

  6. Scroogled said on December 30, 2022 at 10:35 am

    Manifest v3 needs to be abandoned completely.

    1. Tom Hawack said on December 30, 2022 at 1:42 pm

      Indeed! Manifest v3’s adblock limitations together with a company’s failure to correctly, deeply, fully investigate its ad platform admissions is a true scandal.

      Adblock is the first requisite, within the browser (uBlock Origin leader of the band) and system-wide.
      I won’t advise extra precautions even if I testify of my own policy, that of avoiding Google, all of it, all of its servers, be they first-party or 3rd-party accessed, be it for “malvertizement”, “MasquerAds” as described here, privacy, basic and essential privacy.

      “MasquerAds” : you learn every day.

      1. upp said on December 30, 2022 at 7:48 pm

        @Tom: And avoid Chrome.

        Long time ago people said “Don’t trust an advestisement company to make a good browser” and people laugh at them because Chrome kept getting popular, they call it fact, but nowadays you can’t even block ads anymore because of MV3, only 30.000 rules allowed, no autoupdate and most advanced features are nuked.

  7. Antonio said on December 30, 2022 at 10:03 am


Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.