Tech
Fake Google Authenticator app spreads malware, not authentication
Fake Google Authenticator app spreads malware, not authentication
A threat actor has used a legitimate Google ad to direct victims to a fake site to download info-stealer malware.
Security researchers have spotted a malware campaign distributing an info-stealer disguising itself as Google’s Authenticator application.
The campaign was outlined in a Malwarebytes blog post and is based on a legitimate Google advertising campaign – only it’s a fake advertisement.
The sponsored advertisement would have shown up to anyone searching for the Google Authenticator. The ad showed Google’s legitimate website, marked itself as the “official website”, and even claimed the advertiser – one Larry Marr – was verified by Google.
“The truth is Larry Marr has nothing to do with Google and is likely a fake account,” Malwarebytes researcher Jérôme Segura said in a blog post.
“We can follow what happens when you click on the ad by monitoring web traffic. We see a number of redirects via intermediary domains controlled by the attacker, before landing on a fake site for Authenticator.”
A total of 10 redirects went through several domains – including some legitimate Google sites, a cloaking domain, and a number of fake domains claiming to be “chromeweb-authenticators[.]com” – before finally ending up on a Github repository. The chromeweb sites had been registered the same day that the fake ad was first observed, and the code for the site featured comments written in the Cyrillic alphabet.
The malicious file hosted on that Github repository is called Authenticator.exe but is, in fact, the DeerStealer info stealer, which can exfiltrate data via web infrastructure controlled by the threat actor.
The file itself features a valid signature signed by Songyuan Meiying Electronic Products Co.
“We should note that Google Authenticator is a well-known and trusted multifactor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture,” Segura said.
“We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.