Hackers Target Mac Users With Fake Google Ads
Hackers are creating a long-standing attack vector to target Mac users with malware disguised as the popular Homebrew tool, spreading it through misleading Google ads.
Malicious actors are leveraging Google ads to distribute malware through a counterfeit Homebrew website. The campaign targets macOS and Linux users with an infostealer that compromises credentials, browser data, and cryptocurrency wallets.
Homebrew, a popular open-source package manager, allows users to manage software via the command line. Recently, hackers took advantage of its widespread use by deploying a harmful Google ad.
Developers, please be careful when installing Homebrew.Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site. pic.twitter.com/TTpWRfqGWo— Ryan Chenkie (@ryanchenkie) January 18, 2025
The ad, spotted by developer Ryan Chenkie, appeared legitimate, displaying the correct URL for the Homebrew website, “brew.sh.” However, users who clicked it were redirected to a fake website hosted at “brewe.sh.”
A fake website replicated Homebrew’s installation process, deceiving users into running a malicious command. Although the legitimate Homebrew site also offers installation commands, executing the script from the fake site resulted in downloading and running malware known as AmosStealer.
AmosStealer, also called “Atomic Stealer,” is a macOS-targeting infostealer available to cybercriminals for $1,000 per month. It’s designed to steal data from over 50 cryptocurrency wallets, browser-stored information, and desktop applications. Previously, this malware has been used in campaigns like fake Google Meet pages, cementing its reputation as a preferred tool for Apple-focused cyberattacks.
Malicious Google Search result, Mike McQuaid, expressed frustration with Google’s inability to prevent such scams. While the malicious ad was taken down, McQuaid highlighted that similar incidents continue to occur due to insufficient oversight of sponsored ads.
Cybersecurity experts recommend avoiding sponsored links when searching for popular tools. Bookmarking official websites or accessing them directly can help users minimize risk.
Google Chasing Hackers Hard
Fighting malicious ads is an ongoing challenge. Cybercriminals continuously adapt by using tactics like altering URLs or modifying ad content after approval to evade detection. With billions of ads to review daily, Google relies primarily on automation, but it’s not foolproof. The massive volume and limited human oversight mean some harmful campaigns still manage to slip through.
For example, in April 2023, the same AmosStealer malware was first detected and was being sold through Telegram, a messaging app. In September of that year the hackers turned to malicious Google ads.
And in August 2024 attackers created fake versions of popular applications, including Loom, to trick users into downloading malware through deceptive Google-sponsored URLs.
Despite having tools to detect and remove harmful ads, Google faces challenges in keeping up with scammers’ ever-changing strategies and the difficulty of enforcing rules globally.
Why You Should Care About Fake Google Ads
To protect yourself from these attacks, always double-check website URLs, use bookmarks for trusted sites, and avoid downloading software from unknown or sponsored links. While Google has removed this specific malicious ad, the threat of harmful ads remains. Mac users, especially those relying on Homebrew, should stay vigilant.
