IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google Ads malvertising campaign prompts questions around Search security

A leading security researcher has called into question why Google still allows malware links to top search results

The Google logo shown on a landscape phone, held by a hand in silhouette against a dark blue background

Paid advertising links on Google Search are being used by cyber criminals to push malware, in a strategy that could threaten businesses looking to use free software.

Top listings on the search engine that purport to link to legitimate software websites were instead found to be decoys leading to websites containing malware such as infostealers.

The abuse of Google's ubiquitous search engine was brought to light after a cryptocurrency influencer mistakenly downloaded a malicious package after clicking on an advertising link for popular streaming software OBS.

After running the executable file provided on the website, the victim's accounts on Substack and Twitter were hacked, and their NFT wallet was stolen.

Security researcher Will Dormann detailed the issue in a Twitter thread, and openly questioned why Google-owned threat analyser VirusTotal cannot be used to automatically check sponsored links for malware.

The popular file and link-checking website was acquired by Google in 2012, and flagged the malvertising links used in the campaign as threats when manually fed into the system.

Despite this, Google had not prevented the links from being blacklisted on their Ads platform, seemingly accepting money from threat actors without checking the listed links for threats at all.

In other cases, Dormann noted that VirusTotal didn’t flag links as malicious even though inspection of the packages they pushed contained highly suspicious Powershell commands.

He alleged that the threat actor behind this package is still paying Google for fake listings on software such as VLC Media Player, Rufus, and uTorrent.

Small and medium businesses could be at particular risk from this campaign, as these firms typically rely on free media and productivity software, the likes of which are being mimicked.

Some software developers appear to be aware of the issue, as those behind Notepad++ appear to have spent money to ensure their software appears in results first. OBS has issued an official warning and linked the only legitimate site from which its software may be obtained.

Malvertising, the method through which malicious software or links are hidden in seemingly safe advertising, is often used by hackers on untrustworthy websites behind suspicious banner ads. 

“Protecting users is our top priority,” said a Google spokesperson in response to a request from IT Pro.

“We take dishonest business practices very seriously and consider them to be an egregious violation of our policies. Where we find ads that breach our policies we take immediate action.”

Google's ad policy prohibits the posting of links that hide malware, and in January 2021 the firm began to ask advertisers registered in certain countries to verify their identity.

The company did not directly respond to questions regarding why it has not implemented automatic VirusTotal scans for links on their platform.

Malvertising: A deeper issue

The HP Wolf Security Threat Research Team published a report on malvertising campaigns that used fake listings for popular free software as an attack vector.

Programs such as Audacity, Teams, Discord, and the Adobe Creative Cloud suite of apps were used as bait by threat actors to distribute malware.

Related Resource

Threat hunting for MSPs

Are you ready to take your Managed Security Service to the next level?

Red whitepaper cover with shaded revolving target image in backgroundFree Download

Vidar Stealer, a malware strain used to steal data such as passwords and cryptocurrency wallets from victims, was one such program spread in the campaign, along with the Trojan IcedID which is used to steal financial credentials and compromise corporate networks.

Researchers noted that malicious packages downloaded through the campaign were large, with one example being 343MB. This is believed to be an antivirus evasion tactic, as larger files can circumvent automatic scans with some software.

“Many organisations use software distribution systems, which means that the software does not have to be downloaded by the end user but is provided by the system administrator,” said Patrick Schläpfer, malware analyst at HP Wolf Security.

“If you even block the download of such software for end users, you greatly limit this attack vector and are even more protected against such attacks.”

The use of Google Ads to deliver malware was also previously highlighted in July 2022 when Malwarebytes researchers warned of Google search results hiding malicious links. The sophisticated campaign used inline frames to push malicious domains onto users without revealing their URLs.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download


Google to cut global workforce by 12,000 roles
Careers & training

Google to cut global workforce by 12,000 roles

20 Jan 2023
Microsoft pins hopes on ChatGPT to supercharge Bing search engine
artificial intelligence (AI)

Microsoft pins hopes on ChatGPT to supercharge Bing search engine

4 Jan 2023
Gmail vs Outlook: Which one is better for business?
email providers

Gmail vs Outlook: Which one is better for business?

23 Dec 2022
Google "upends" internal teams to counter threat posed by ChatGPT
artificial intelligence (AI)

Google "upends" internal teams to counter threat posed by ChatGPT

22 Dec 2022

Most Popular

Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023