Cybercriminals have increased their efforts in creating fake apps to trick users. The method is to poison Google search results with fake websites that push malware disguised as trusted apps like Signal, WhatsApp, and Chrome.
Researchers at FortiGuard Labs uncovered this campaign, where attackers manipulate search rankings using SEO plugins and lookalike domains. Once victims land on these sites, they’re prompted to download what looks like a genuine installer — but it actually contains malware.
The fake sites have been spotted impersonating well-known platforms, including:
The malicious installers bundle in trojans such as Hiddengh0st and a new variant of Winos, both designed to slip past detection while delivering real-looking apps in the process.
Once installed, the malware drops files into hidden directories and escalates its privileges. From there, it can:
SEO poisoning isn’t new. We actually made a blog on this a while back in 2024, which you can read here. Cisco Talos has previously reported campaigns using popular AI tools like ChatGPT. Other scams have impersonated major brands, often through Google ads that redirect to malicious sites.
This attack highlights why you should never fully trust search results or ads when downloading software. Always double-check the domain name and only use the official website of the app provider.
We hope you’ve liked this blog. Stay tuned for more blogs like this. Stay safe!
