Report: malware is distributed via Google Ads at an alarming rate

Martin Brinkmann
Feb 3, 2023
Updated • Feb 3, 2023

Search engine ads have always seen some level of abuse by malicious actors to spread malware. An ad is placed at the top of results on Google Search and most other search engines, which means that it will get more exposure than other other link on the site.

Over the past weeks, researchers have witnessed an increase in malware campaigns that use Google Search ads. Spamhaus Technology, for example, published a report on February 2nd, 2023 on the current increase in malvertising activity. Malvertising, which stands for malware advertising, is spreading "numerous malware" by impersonating programs and brands such as Adobe Reader, GIMP, Thunderbird or Microsoft Teams.

google search ads

Search ads are based on keywords most of the time. When a searcher runs an exact match keyword or a partial match, ads may be displayed based on parameters that the individual or organization selected during setup.

These ads point to web addresses. In the case of malvertising, links point to fake website that offer downloads for the requested programs. These downloads contain malicious payloads, which are then installed on user devices when they are downloaded and run. The fake websites are made to look like the real websites, but unlike phishing sites, are not bit-by-bit copies of the originals.

Google seems to have removed the reported malvertising campaigns, but it seems likely that new campaigns will be created by malicious actors. While that requires some time for setup, as new Google Adwords accounts need to be created and new domains need to be set up, it is clear that new campaigns will make an appearance on Google Search unless Google is taking action against these campaigns.

Spamhaus believes that Google could reduce the risk of malvertising campaigns by disallowing links to domains that are newly registered. Additional protections would certainly help, but malware actors may resort to buying domains on the second hand market to use them in their campaigns.

SentinelLabs reported an increase in malvertising as well this week.

What users may do to protect themselves

Internet users have a number of options at their disposal to improve protection against malicious advertising and malware in general.

One of the easier options is to ignore ads, especially when it comes to downloads. Google Ads are barely distinguishable from organic content, which may make it difficult for some users to spot the difference.

Certain content blockers, including uBlock Origin, block ads on search engines by default. Others need to be configured to block these ads on the search engine sites.

Another option that users have is to start using a different search engine. Most are financed through ads though, but most are too small to be lucrative targets at the moment.

Now You: which search engine do you prefer?

Report: malware is distributed via Google Ads at an alarming rate
Article Name
Report: malware is distributed via Google Ads at an alarming rate
Malicious ads have seen a rise recently on Google Search by luring users to fake download sites for popular legitimate products.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. TelV said on February 6, 2023 at 12:03 pm

    I use Brave Search most of the time and only revert to Google when Brave doesn’t produce the results I’m looking for:

    If I’ve used Google then I’ll use Firefox’s context menu option “Forget about this site” which removes everything related to it which includes all the history.

  2. Murat said on February 5, 2023 at 3:21 pm

    This is the problem occurring in Global. Except for the first 2-3 pages of the search results in Turkey, there are fake results containing redirects such as betting, porn, harmful sites. Google apparently does not have the market power to follow them. Or it will take years to fix them.

  3. "Don't be evil" my ass.. said on February 5, 2023 at 2:03 am

    It’s common knowledge that adblockers block more malware than AV does. Let’s all thank Google once again for all this crap.

    1. SCmCsyF said on February 5, 2023 at 8:58 am

      First thing I did many years ago was install Ublock Orign on family member’s computers with the default filter lists since I don’t want anything to break for them. By default I think only the Online Malicious URL Blocklist is enabled, maybe add PUP and Phishing blocklists too.

      This is why I don’t like Internet ad apologizers, it’s one thing when an author kindly asks to unblock ads (just don’t add an annoying anti-adblock banner, that’s not kind! Instead add a disclaimer somewhere on the website. It’s also always a risk to enable ads, so don’t continually push visitors to unblock ads), it’s another thing entirely when people tell others they’re STEALING revenue from webmasters, YouTube channels and so on, as if it’s criminal to protect oneself.

  4. SCmCsyF said on February 4, 2023 at 1:58 pm

    This is why I tell people to visit a website directly. Way too many people use a search engine as the address bar. It doesn’t help it either that contemporary browsers have unified search and navigation bars. I quite like the concept, but too many people use it as a search bar only, not typing a website’s full URL.

    Another tip I can give is to search once, then bookmark the site. Much more secure than using Google’s search engine all the time.

  5. Metallica said on February 4, 2023 at 5:30 am

    Folks who still use scroogle deserve to get infected.

  6. Raj said on February 4, 2023 at 4:00 am

    I stopped trusting Google ads since they pushed me to a shady version of VLC. If the google overlords cannot govern their search engine then who will?

  7. Anonymous said on February 4, 2023 at 2:24 am

    But!, Shaun told me several times how awesome the Microsoft store is.

  8. Anonymous said on February 4, 2023 at 12:35 am

    Google should be fined heavily for introducing Manifest V3.

  9. John G. said on February 3, 2023 at 11:19 pm

    Google should fix these problems as soon as possible. They know how to do it, and they will do it. Thanks for the article.

  10. 11r20 said on February 3, 2023 at 10:38 pm

    my personal computer and 2 old phones are all ‘ungoogled’ cuz ‘google-sucks’

    I Mostly use a sandbox, it’s very quiet and fast
    and most everything I need is there.

    Sometimes I use ‘mojeek’ (it always resolves to the same IP on startup = “”″”) it’s also very quiet;

    as well as several aggregators and RSS feeds

  11. Midnight said on February 3, 2023 at 9:58 pm

    I avoid anything Google like the Plague!

    My search engine(s) of choice are Quack Quack Go and Startpage.

  12. Tom Hawack said on February 3, 2023 at 9:30 pm

    No Google account, all Google services replaced with alternatives, Google libraries handled by the Firefox ‘LocalCDN” extension, all Google servers I’m aware of are blocked system-wide.

    Excessive? This very article, after many others, here and elsewhere relating facts, demonstrates a company’s total disinterest for users’ security together with what we all know already : users’ privacy. Google doesn’t care where its search engines lead you to, it only cares to know where you go to.

    I use three metasearch engines :
    SearXNG, [] & [] (two in case either would be inoperative).
    Mojeek Metasearch []
    eTools Metasearch []

    Occasionally three ‘standard’ engines :
    Brave Search []
    DDG Search []
    Qwant []

    I get along perfectly well without Google.
    Google Watchdog : []

    1. Andy Prough said on February 4, 2023 at 5:28 am

      I’m just surprised that anyone uses Google for search or email or anything at this point. It’s been 10 years since Snowden exposed them as completely corrupt and nothing more than a surveillance tool of the international spy community. I guess people simply love to be abused – there’s no other possible explanation.

      1. Peterc said on February 6, 2023 at 8:36 pm

        @Andy Prough:

        Aside from the fact that Google Search introduced politically/strategically subjective ranking criteria for search results[*] — in spring 2017, I seem to recall — I’ve noticed that its results in general have become *markedly* less relevant in recent years. Even with carefully constructed searches, it now takes me *far* longer to find useful hits in Google Search than it did only ten years ago.

        And as you said, Google is one of the biggest privacy violators in tech, along with Facebook/Meta and now Microsoft. I’m remembering a sarcastic line from John Turturro in the 1985 movie “To Live and Die in L.A.”: “And the check is in the mail, and I love you, and I promise not to *** ** **** *****.” Another statement we should all have been skeptical of is “Don’t be evil.”

        I don’t believe that “if the product is free, *you* are the product” is invariably true in software. There are just too many counterexamples to fairly say that. But in Alphabet/Google’s case, it most definitely *is*. Older users who got taken in when the Internet was just beginning to explode can probably be forgiven, because it was a new technology they didn’t fully understand. Today’s experienced users no longer have that excuse, but let’s not forget that each new generation brings a fresh crop of inexperienced, gullible suckers ripe for the picking.

        [*] From what I’ve read, Google changed its ranking algorithms at the direction (by outsourced proxy) of the Atlantic Council, often referred to as “NATO’s think tank.” That change *dramatically* narrowed the range of facts, analysis, and opinions to which ordinary citizens were exposed. There is a war going on today that might not be happening if Google and its ilk had stuck to objective, neutral ranking criteria instead of putting their thumb on the scale.

      2. Yash said on February 4, 2023 at 9:17 am

        Snowden exposed many things. But as expected government doubled down on censorship and private companies benefitted as a result. Facebook bought WhatsApp after Snowden revelations and nothing was done to stop that. Look at Twitter – the shitshow it has become.

    2. Fred said on February 3, 2023 at 10:37 pm

      Yeah, next to no one is clicking your chitty links.

      You and your dozen friends enjoy your gymnastics.

      Ask this very site how many view through Google search or find it through Google search.

      Just face the facts. Google is king with browser and search despite your howling in to the wind.

      1. Tom Hawack said on February 4, 2023 at 12:29 am

        @Fred, you can get Google Search results via a metasearch engine, i.e. SearXNG : same results without the the malvertizement ones, without the tracking, or with another Google Search only front-end such as QuackQuackGo at [].

        The point here is not to argue about the quality of Google Search, nor even about Google services in general, but to point out that Google is privacy-intrusive together with a flagrant disinterest for security issues provided in its very web search results!

        Please don’t think there’s any show-off, only trying to do our best for privacy and security and share it, that’s all :=)

      2. SCmCsyF said on February 4, 2023 at 2:05 pm

        Mojeek has its own index, it’s not a metasearch engine.

        Never heard of QuackQuackGo, Name sounds worse than DuckDuckGo, how’s that possible?

        There’s also Whoogle and LibreX as Google front-ends which are pretty cool. I don’t use them, though.

      3. Tom Hawack said on February 4, 2023 at 3:00 pm


        > Mojeek has its own index, it’s not a metasearch engine.

        You are right, my mistake. I seldom refer to Mojeek and I misunderstood it’s option “Search Selections – Select the Search Choices to show” which I assumed to be search engines used by Mojeek when in fact these appear at the bottom of result pages within “Try elsewhere:” …

        > Never heard of QuackQuackGo, Name sounds worse than DuckDuckGo, how’s that possible?

        I guess the developer drove the parallel with DDG to the extent of an idiotic name :=) Otherwise noting comparable.

        QuackQuackGo (QQG?) is only a basic Google Web search front-end, no images nor videos nor shopping nor maps. Very fast but basically basic.

        > There’s also Whoogle and LibreX as Google front-ends which are pretty cool. I don’t use them, though.

        – LibreX instances include a specific torrents search option. Otherwise I consider SearXNG better suited, more features, better display and an excellent options availability.

        – I had tried several Whoogle instances (only Google results) but disliked the options manipulation, cumbersome.

        Thanks for pointing out my mistake stating Mojeek as a meta-search engine. Gosh, flew over my head …

      4. Fred said on February 3, 2023 at 10:40 pm

        Puzzling, this site has no edit function. How 2018.

        Obviously I meant Google Browser or Google Search.

  13. Anonymous said on February 3, 2023 at 8:38 pm

    “You are willing to pay in advance what we want to be #1 after a search” seems to be the part that needs changing. Ensuring money comes from the correct source needs to be part of their business model.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.