IT Security Outsourced IT Websites

Google Ads Malware

What is Google Ads Malware?

Cyberattackers have been increasingly using Google Ads to spread malware. The cyberattackers often clone official websites and distribute trojanized versions of the software when users attempt to download. Some of the products that have been impersonated in Google Ad malware attacks like this include Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave1.

Cyberattackers conduct this scheme, first, by buying ads for impersonated websites in Google Search’s sponsored search results. The Google Ads platform helps advertisers promote pages on Google Search so that they will place high in the list of sponsored ads, often above the legitimate website. Since Google will block ads that they suspect are malicious, cyberattackers employ tricks to make the ad appear harmless, such as having the user arrive at a website that is disguised as a harmless and irrelevant website, but that is actually where users will be redirected to the malicious payload. The payload will come from a reputable file-sharing and code-hosting services such as Dropbox, GitHub, or Discord’s CDN, which ensures that the antivirus programs will not object to the download of the malicious ZIP or MSI file.

The FBI offers the following precautions for individuals and businesses to protect themselves against advertising cyberattacks2:


  • Before clicking on an advertisement, check the URL to make sure the site is authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Rather than search for a business or financial institution, type the business’s URL into an internet browser’s address bar to access the official website directly.
  • Use an ad blocking extension when performing internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These ad blockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others.


  • Use domain protection services to notify businesses when similar domains are registered to prevent domain spoofing.
  • Educate users about spoofed websites and the importance of confirming destination URLs are correct.
  • Educate users about where to find legitimate downloads for programs provided by the business.

1 Toulas, 2022, “Hackers abuse Google Ads to spread malware in legit software”

2 FBI, 2022, “Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users”