Cybercriminals have reportedly managed to trick another Google service into delivering malicious apps to unsuspecting users.
Their latest target is the Google Alerts service, which researchers have found has been abused to push fake updates of the now-discontinued Adobe Flash Player.
The latest campaign adds to the growing list of Google services that have been repeatedly abused in novel ways by threat actors for malicious purposes.
In this latest instance, unscrupulous elements first create fake stories with titles that contain popular keywords in order to get the attention of the search engine’s bots.
Once these fake stories have been indexed, the Google Alerts service will push them to the inbox of folks who’ve set up alerts to track those keywords.
Trusting them to be legitimate, since they are recommended by a Google service, when clicked the fake stories then redirect to a malicious site, which promotes all kinds of potentially unwanted programs (PUPs).
BleepingComputer recently observed one such campaign that used the fake Google Alert story to instead push a notification that suggests users to install an app to purportedly update their out-of-date Flash player. Not surprisingly, the app then promotes various PUPs.
This is just one of the recent examples of tricksters exploiting the trust of Google services for malicious purposes. In the past, threat actors have abused Google Forms and Google Sheets for malware command-and-control communications. Security researchers recently discovered a web skimming operation that leveraged the reputation of Google’s Apps Script domain.