Seemingly Legitimate Ad for Google Authenticator Distributes Info-Stealing Malware

Published on July 31, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A fake ad for the trusted multi-factor authentication (MFA) app Google Authenticator appearing among Google search results looked as if it was from official sources, and the advertiser’s identity was even verified by Google, a new report from security experts Malwarebytes says. 

The advertisement led to a decoy website where people actually downloaded malware.

People who were looking to download the popular MFA service through a Google search in the past few days could see a malicious ad that masterfully impersonated the Aphabet Inc.-owned app. The downloaded executable actually contained an infostealer.

Fake Advertising on Google
Image Credits: Malwarebytes

Upon clicking, the user experiences several redirects via intermediary domains controlled by the attacker before landing on a fake site for Authenticator, which leads to a signed payload hosted on GitHub.

Using a trusted cloud resource makes it unlikely to be blocked via conventional means. The threat actor leveraged the fact that anyone can make an account and upload files on GitHub and created the ‘authgg’ repository with the username ‘authe-gogle,’ which contains the malicious Authenticator.exe.

Google Authenticator Scam
Image Credits: Malwarebytes

The code that downloads Authenticator.exe from GitHub contains comments from the author in Russian. The file itself has been digitally signed by “Songyuan Meiying Electronic Products Co., Ltd.”

Sandbox maker AnyRun previously reported a similar distribution site and the same payload. Malwarebytes blocked access to the fake Authenticator website and detected the payload as Spyware.DeerStealer.

In the analyzed campaign, the DeerStealer malware could exfiltrate user personal data via an attacker-controlled website hosted at vaniloin[.]fun.

During the past year, various info-stealer malware campaigns that infected victims’ devices got access to their stolen credentials, which were then exfiltrated for financial gains.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: