Imagine the following scenario. You want to download Google Authenticator, run a search on Google for the company's application, and click on the first link that appears.

The link looks good even though it is listed as sponsored. It shows Google's official site as the URL. When you check the advertiser, which you can on Google Search, you get confirmation that Google has verified the advertisers identity.

All good then? Not in the aforementioned case. If you would have downloaded the linked app, you would have installed malware-infested Authenticator application to your device. The application, which even came with a valid signature according to reports, installed the DeerStealer information-stealing malware on Windows devices.

Not the first case, likely not the last

Threat actors have managed to overcome the security systems of advertising companies such as Google numerous times in the past to plant malware ads on Google Search and elsewhere. We have reported on this numerous times already, for example here or here.

Just last year, it was reported that malware was distributed via Google Ads at an alarming rate. The situation has not improved.

These are often made to look like the legitimate product, and it is very difficult for the user to determine that they are not.

In the above case, everything checked out on first glance:

• Correct Google Domain listed.
• Google verified the advertiser.
• App is signed.

Bleeping Computer asked Google about the impersonating of legitimate companies and people, and Google stated that threat actors are evading detection by creating thousands of accounts simultaneously and using text manipulation and cloaking to show reviewers and automated systems different websites than a regular visitor would see".

In other words, Google admits that it cannot protect users from malicious ads 100% of the time. While it boasts that it has removed "3.4 billion ads" and suspended "5.6 million advertiser accounts" in 2023, it still has not found a way to detect all malicious ads and advertisers on Google Search.

Sponsored links are not to be trusted

Any link in Search that is listed as sponsored or an ad should not be trusted, especially when it comes to downloading software or making financial transactions. This is the only consequence that users should draw from that statement.

Threat actors have abused search ads one to many times to make them trusted. Usually, all it takes is to scroll down a bit more until you find the first organic search results. There you should find the official website listing of the product.

What about you? Do you click on ads or sponsored results sometimes? What is your take away from the recent malicious advertising campaign? Feel free to leave a comment down below.