Google brand abuse is more popular than ever as attackers were observed over the past few days setting up fake ads to lure users to download the popular Google Authenticator multi-factor authentication app only to find out they downloaded malware from a GitHub site.
Malwarebytes researchers explained in a July 30 blog post that hosting the malware file on GitHub let the threat actor use a trusted cloud resource that’s unlikely to get blocked via conventional means.
The researchers explained that while GitHub has become the de facto software repository, not all applications or scripts hosted on it are legitimate. Anyone can create an account and upload files, and the Malwarebytes researchers said that’s exactly what the threat actor did under the username "authe-gogle," creating the "authgg" repository that contains the malicious Authenticator.exe.
“We should note that Google Authenticator is a well-known and trusted multi-factor authentication tool, so there’s some irony in potential victims getting compromised while trying to improve their security posture,” wrote the researchers. “We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.”
Anne Cutler, cybersecurity expert at Keeper Security, said the rapid advancement in technological tools, including AI, has significantly amplified the sophistication and scale of cybercriminal tactics. Cutler said AI allows for the creation of highly convincing malware ads and deep fakes, which flood digital spaces with malicious content.
“Recent cases where malicious ads appear official — and have even been verified by Google — illustrate the increasingly sophisticated methods used by threat actors,” said Cutler. “These criminals are evading detection by creating numerous accounts and using techniques like text manipulation and cloaking to deceive both automated systems and human reviewers.”
Cutler said to effectively combat these threats, cybersecurity teams must adopt a multi-faceted approach that addresses both technological and human elements. Awareness campaigns and regular training are critical to keeping employees and users informed about the risks of malvertising and the latest tactics employed by threat actors. Teams also need to adopt enhanced endpoint security, including up-to-date antivirus software, and a robust endpoint protection platform. Regular audits and policy updates also help ensure compliance and adaptability to the ever-changing threat landscape, said Cutler.
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, added that users are forced into a horrible game of “truth or dare” every day, never sure if what they are clicking on is legitimate or not. The ability to identify if an advertisement is legitimate has gotten increasingly difficult as adversaries mature their tactics, techniques and procedures to trick users into falling for a phishing or malware attack.
“Employees, and consumers alike, are strongly advised not to jailbreak their phones and only install apps from official marketplace locations to best lower their risk from fraudulent advertisements or applications,” said Dunham.
