Fake Messaging Apps Exploit Chinese Users through Malicious Google Ads

Chinese-speaking users are facing a targeted threat through malicious Google ads promoting restricted messaging apps like Telegram, as part of an ongoing malvertising campaign. Malwarebytes’ Jérôme Segura revealed in a Thursday report that the threat actor is exploiting Google advertiser accounts to generate harmful ads, directing unsuspecting users to download Remote Administration Trojan (RATs). These programs grant attackers complete control over a victim’s machine, enabling them to introduce additional malware.

“The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead,” noted Segura.

It’s crucial to emphasize that this malicious activity, known as FakeAPP, is a continuation of a previous attack wave that specifically targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023.

In the latest phase of the campaign, the threat actors have expanded their scope by including the messaging app LINE in their list of targeted applications. Users are redirected to counterfeit websites hosted on Google Docs or Google Sites.

The Google infrastructure is leveraged to embed links leading to other sites controlled by the threat actor. This facilitates the delivery of malicious installer files, ultimately deploying trojans such as PlugX and Gh0st RAT.

Malwarebytes investigators have traced the origin of the fraudulent ads to two advertiser accounts, namely Interactive Communication Team Limited and Ringier Media Nigeria Limited, both based in Nigeria.

Commenting on the tactics employed by the threat actor, Segura highlighted that they prioritize quantity over quality, continually introducing new payloads and infrastructure for command-and-control purposes.