It is common to start browsing and use the mouse to close Google ads that appear on our screen immediately. Or at least ignore them. This is a common practice and almost advisable. The worst of intentions can be found behind these commercials.
Recently, malware targeting Mac users has been detected that has the ability to steal passwords, cryptocurrency wallets and other sensitive data. This malware is spreading through Google ads. This is, at least as far as is known, the second time in recent months that the advertising platform has been used to infect Internet users.
Malware discovery
The security firm Malwarebytes identified this past Monday the Malicious ads promoting fake Mac versions of Arca relatively new browser available for macOS since July of last year.
These deceptive ads promise a “quieter and more personal” browsing experience, emulating the official message from The Browser Company, the company behind Arc.
By clicking on the ads, Users are redirected to arc-download[.]com, a fake page that almost perfectly imitated the legitimate site. Although the advertiser, Coles & Co., has been verified by Google, visitors who download the .dmg installation file from this site receive suspicious instructions to bypass a macOS security mechanism.
These prompts to click and select open instead of the standard double-click were intended to bypass verification of apps not digitally signed by Apple-approved developers.
Analysis and consequences
Analysis of the malware code revealed that, once installed, The malicious program sends data to the IP address 79.137.192[.]4, where the Poseidon control panel is housedan information thief sold on criminal markets.
This panel allows criminals to access compromised accounts and collected data. Jérôme Segura, Senior Malware Intelligence Analyst at Malwarebytes, has indicated that The development of Mac malware, specifically aimed at stealing information, is on the rise.
Poseidon is promoted as a full-fledged macOS stealer, with functionality including file capture, mining cryptocurrency wallets, stealing passwords from managers like Bitwarden and KeePassXC, and harvesting browser data. This malware presents itself as a competitor to Atomic Stealer, another macOS stealer with similar source code.
Precautionary measures to take into account
The malware discovery came a month after Malwarebytes identified another fake Google ad campaign promoting a version of Arc for Windows, which also turned out to be a data thief.
Google Ads, like other major advertising networks, regularly faces issues with malicious contentwhich is not removed until third parties report it. The company says it removes these ads and suspends advertisers when it becomes aware of such incidents, as was the case here.
To protect themselves, users who want to install software advertised online are advised to search for the official download site instead of relying on links provided in advertisements.
Besides, should be wary of instructions that suggest unusual installation methods, such as using right-click to open files on macOS. Malwarebytes has provided indicators of compromise that can help people determine if they have been attacked.
Ultimately, this incident underscores the need for continued vigilance and robust security measures to protect users’ personal and financial data online.
