Fake Homebrew Google ads target Mac users
Leveraging an attack vector that’s been in play off and on for the last two decades, hackers are targeting Mac users with malware camouflaged as the popular Homebrew tool, and spreading it through deceptive Google ads.
Malicious actors are leveraging Google ads to distribute malware through a counterfeit Homebrew website. The campaign targets macOS and Linux users with an infostealer that compromises credentials, browser data, and cryptocurrency wallets.
Homebrew, a widely-used open-source package manager, enables users to manage software through a command line. Hackers recently exploited its popularity by creating a malicious Google ad.
Developers, please be careful when installing Homebrew.
Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site. pic.twitter.com/TTpWRfqGWo
— Ryan Chenkie (@ryanchenkie) January 18, 2025
The ad, spotted by developer Ryan Chenkie, appeared legitimate, displaying the correct URL for the Homebrew website, “brew.sh.” However, users who clicked it were redirected to a fake website hosted at “brewe.sh.”
The fake site mimicked Homebrew’s installation process, tricking visitors into running a malicious command. While the legitimate Homebrew site also provides such installation commands, running the script from the fake site downloaded and executed malware, specifically AmosStealer.
AmosStealer, also known as “Atomic Stealer,” is a macOS-focused infostealer sold to cybercriminals for $1,000 per month. It targets over 50 cryptocurrency wallets, browser-stored data, and desktop apps.
Previously, this malware has been used in similar campaigns, including fake Google Meet pages, making it a go-to tool for Apple-focused cyberattacks.
Malicious Google Search result. Image credit: @ryanchenkie
Homebrew’s project leader, Mike McQuaid, expressed frustration with Google’s inability to prevent such scams. While the malicious ad was taken down, McQuaid highlighted that similar incidents continue to occur due to insufficient oversight of sponsored ads.
Cybersecurity experts recommend avoiding sponsored links when searching for popular tools. Bookmarking official websites or accessing them directly can help users minimize risk.
Google’s struggle with hackers
Keeping malicious ads in check is a tough battle. Cybercriminals are constantly finding clever ways to outsmart detection, like tweaking URLs or changing ad content after approval to slip through the cracks.
With billions of ads to process every day, Google leans heavily on automation, but that alone isn’t enough. The sheer scale of its operations and the lack of significant human oversight mean some malicious campaigns inevitably get through.
For example, in April 2023, the same AmosStealer malware was first detected and was being sold through Telegram, a messaging app. In September of that year the hackers turned to malicious Google ads.
And in August 2024 attackers created fake versions of popular applications, including Loom, to trick users into downloading malware through deceptive Google-sponsored URLs.
Even with tools to identify and remove harmful ads, scammers’ evolving tactics and the complexity of enforcing rules worldwide leave Google struggling to stay ahead.
How to avoid malicious Google ads
To stay safe from these types of attacks, make sure to double-check website URLs before clicking, stick to bookmarks for trusted sites, and steer clear of installing software from unfamiliar or sponsored links.
Google has taken down this one particular malicious ad. As history has proven, the danger from bad ads isn’t gone, so Mac users — especially those using Homebrew — need to stay alert.
