DeerStealer Infostealer Spreads Through Fake Google Authenticator Ads
Researchers at Malwarebytes have reported that cybercriminals are exploiting Google’s own advertising platform to distribute the DeerStealer infostealer under the guise of the Google Authenticator app. Attackers are creating ads that promote a fake version of Google Authenticator, which actually delivers malware to unsuspecting users.
These malicious ads continue to appear in Google search results, often linked to seemingly legitimate domains. This creates a false sense of trust for users searching for Google Authenticator. In this latest campaign, the ads appear when users search for the app on Google.
Convincing Fake Ads and Redirects
The most convincing ads display URLs like google.com or https://www.google.com, which should not be possible for third-party advertisers. When users click on these fake ads, they are redirected through several sites before landing on chromeweb-authenticators.com, a site designed to look like an official Google portal.
Malicious Domains and Malware Delivery
ANY.RUN, a company specializing in malware analysis, also tracked this campaign and shared additional information about the hackers’ landing pages. Attackers used domains with similar names, such as authenticcator-descktop[.]com, chromstore-authentificator[.]com, and authentificator-gogle[.]com.
Clicking the “Download Authenticator” button downloads a signed executable file named Authenticator.exe (as seen on VirusTotal), which is hosted on GitHub. The repository is called authgg and is owned by authe-gogle.
The sample analyzed by Malwarebytes was signed by Songyuan Meiying Electronic Products Co., Ltd. just one day before being uploaded, while ANY.RUN found a payload signed by Reedcode Ltd.
Bypassing Security and Stealing Data
A valid digital signature gives the file trust in Windows, allowing it to bypass security solutions and run on the victim’s device without warnings. Once installed, the DeerStealer malware steals credentials, cookies, and other information stored in the browser.
Researchers note that this effective URL-masking strategy has been seen in other malicious campaigns, including those targeting KeePass, the Arc browser, YouTube, and Amazon. Despite this, Google has yet to fully address the issue.
Google’s Response and Ongoing Risks
According to Malwarebytes, Google does verify advertiser identities, but this highlights another weakness in the tech giant’s ad platform. Bleeping Computer reported that Google has now blocked the fake advertiser flagged by Malwarebytes.
When asked how attackers continue to place malicious ads and impersonate legitimate companies, Google explained that criminals evade detection by creating thousands of accounts and using text manipulation and cloaking techniques. This allows them to show reviewers and automated systems different sites than what regular users see.