Hackers Trick Thousands Into Downloading Dangerous ‘Google Chrome Update’
I report and analyse breaking cybersecurity and privacy stories
Researchers from the Russian ‘Doctor Web’ virus laboratory have issued a warning after discovering thousands of victims have been tricked into downloading a dangerous backdoor that is disguised as an update to Google Chrome.
Updates and upgrades have been in the news a lot this last week, with Microsoft confirming unprecedented changes to Windows 10 updates and WhatsApp users being warned about an upgrade warning that isn’t what it seems. As reported by Kate O’Flaherty, March 19, Google has already paused all upcoming Chrome releases as the impact of the COVID-19 pandemic causes adjusted work schedules for developers. Google has also decided to skip the next point release, which was due to be Chrome 82. However, Google has confirmed that it will “continue to prioritize any updates related to security.” Now Google Chrome users are being warned to watch out for what the security researchers who uncovered it describe as a “dangerous backdoor” that is disguised as, you guessed it, a Chrome update.
Experienced hackers are behind the fake Google Chrome Update
Sophisticated data-stealer comes as part of this dangerous package
This is, of course, far from legitimate and is actually a malware installer file. A file that has been downloaded more than 2,000 times, according to Doctor Web researchers. Once the file is executed, a TeamViewer remote control application is installed along with password-protected archives that contain files that the threat actors use to obfuscate the malware from Windows antivirus protection. Further malware payloads can then also be delivered, including a keylogger and a sophisticated Russian-based data stealer. That stealer, known as Predator the Thief, has been active for the last 18 months. It is known to use anti-debugging and anti-analysis techniques to frustrate detection and analysis by researchers.
Victims so far, which are targeted based upon a combination of geolocation and browser detection, have included people in the United States, Canada, Israel, Australia, Turkey and the United Kingdom. According to Doctor Web, the downloaded files can be traced, by way of the digital signature employed, to the same hackers that recently distributed a fake NordVPN installer.
Mitigation advice for Google Chrome users
If you are a Google Chrome web browser user, remember that Chrome was actually the first to include the feature of automatically updating itself. It will regularly check for any updates and these will be applied when you start the application. You can check you have the latest version, which is 80.0.3987.149 as of March 26, by going to Help|About Google Chrome from the “three dots” dropdown menu in the top right-hand corner of the browser. If, for whatever reason, you are not running the latest version, this will also kickstart the update process. You will never genuinely be redirected to a web page where you are asked to download an update from Google.