Fake Chrome Update Malware

This is why Ad blockers are a MUST for everyday web browsing. Yet Google wants to take that away from us

Imagine my confusion when I got that popup on Firefox 💀

This just goes to show how important it is to NEVER open an .exe file until you are 100% sure it comes from a reputable source

Funny you mention that, just yesterday some big phone manufacturer flagged google as malware. Following the forums was kind of hilarious. But that aside.

I actually ran into this on a website a few weeks ago. It looked totally suspicous to me and the blue button to "Update Chrome" had some very strange address so I closed the page and notified the owner immediately. I consider myself pretty tech savy and I almost fell for it so the average person would easily fall for something like this.

OK, that was pretty scary as my wife asked me about doing an update like this a few days ago, and luckily I said let the auto update do it. Thank you!

Advertisers need to be held liable for all of the malicious ads they put up.

This is a reminder that "your browser comes with automatic updates" PSA that we sometimes see isn't out of nowhere.
People need to know that every browser these days updates automatically and popups like these are all bogus.

Step one: don't click every download button you see. Maybe Google should make it clear that chrome updates itself without needing to download random exe files. Maybe they should do something similar to Microsoft, in terms of Microsoft actively detects when you go to a Chrome download to essentially beg you to not. They should detect fake chrome, download pages and warn users.

This why adblock will never die

Thank you for educating us and keeping us safe!

Reading through the comments, it seems like so many people still have no clue. This problem is not limited to Chrome, or Firefox, or Windows, or Linux. It is a JavaScript thing, so it could happen on any system.
I'll try to summarize and keep it simple for those not as techy.
When you're browsing the web and a pop-up appears telling you need to update your browser, do NOT click on it. Not even when you're browsing your frequently visited sites because these sites could have been hacked to send you the fake prompts.
The malware may steal your accounts' information in split seconds, then unload itself before anti-virus could detect them.
If you need to update your browser or *any* software for that matter, always go through the official website only, and not by some 3rd party or "convenient" pop-up.

Let auto update do updates and click nothing especially downloads.
Man it is dangerous out there these days.

There are people who will see their anti-virus block it, then decide to override that decision thinking their AV is wrong because it is “just a Chrome update from Google.”
I think it best if the AV silently blocks it and then if checked for info it shows why.

good that i know how actually update browser properly, but this ”kind of update” is very scary

This happened to me but from a crack file, I was so stupid and confident about my knowledge since I also use 2FA on all my accounts. I ran the exe file and nothing happened. Then, i wasn’t aware about things like session hijackings and suddenly my youtube has weird ass watch histories, good thing I was able to change it quickly

I remember seeing a fake malware Firefox update that kept popping up years ago when I was using the real Firefox. I accidentally downloaded it not knowing it was fake. I was a kid when I did it and i realized that it was a malware because my grandpa told me it was and I told him I didn't know because it looked real

Could you do a tutorial on how to detect a virus that isn't visible in process explorer, autoruns, tcpviewer etc? Is it possible to do this in a simple way? EDIT. I forgot to mention that I would like to do this manually. As you know yourself, antivirus doesn't always detect everything.

That's scary how convinced I would have been by that update page, I would have been really sus of the downloaded file, though.

From my personal experience, Bitdefender would not even approve this download. The file would end up directly in quarantine ☺

If a webpage notifies me my browser is outdated, I just ignore that (especially, when I just updated).
This stuff has been around since ages (For Java, Adobe Flash) and no one should trust it at all.

Since they can detect the browser that is being used, this same sort of attack / vulnerability can affect any and all browsers (by just displaying the name of the browser rather than “Chrome”), since it tries to take advantage of unsuspecting users.

Another thing to look out for is the site URL when that update page pops up. Definitely not a Google link. And if it pops up in a separate window where it's hidden, a definite no.

What's wild about these kind of attacks is that some variants can do their job without any privilege escalation. As long as web browsers use their host OS current user session and credentials to "lock" saved passwords, it will never be secure to keep your passwords saved in them. And attacks targeting opened browser sessions are becoming more common too. Crazy stuff

This is why I go directly to the settings menu within chrome or any/every other program to check for updates that has it, never follow a pop up for any kind of download or update, especially if the program doesn't normally stop operating due to a lack of update or if there's a new update available.

Thank you for the in depth rundown! I do have a question though: how effective are these types of stealers when using Firefox's Master password or Edge's 2fa? Thanks!

Interesting that this came up. My Chrome has been telling me that it can't update for the past few days, and I had a moment the other day where I enabled cookies for something and then I kept getting windows notifications saying my McAfee anti-virus had detected a million viruses. I don't have McAfee installed. I deleted all cookies because I knew what I had clicked and it stopped. But I'm sort of suspicious now.

I like to think I wouldn't ever fall for stuff like this but considering the sophistication of some of these attacks I 100% could see myself clicking on one of these when I'm tired or in a rush.

and this at a time when YT forces ADs which themself can be infected.

At least on firefox the update is automatically downloaded in the background as soon as you open it, and you can check by open the 3 stripes on the top right corner, go to help and About to see which version you have. That is the proper way to do things, don't do what a popup tells you to do A to get B. The developers automatically update your browser when possible, in the background.

Depending on the time of the day, I could have fallen for the "popup"
But I would never click a .exe file for updating anything

Great video, spreading awareness on such topic is very significant. I would likely fall for it because it seems very convincing

I will show this video to my students tomorrow!

Some white hackers have found ways to get control of a windows host server from the windows virtual host. So testing in a VM is still dangerous even so this specific vulnerability has provably been fixed since.
(Was a virtual box vulnerability)

So many people can be saved by just knowing never to open a .exe file unless you initiated it yourself or you know where it's from.. Adblock is invaluable in this example as those pop-ups would be most likely blocked.. There has been multiple times where I have tried to download something and notced it was a weird .exe file with a different name and stopped it in time, thanks to videos like this. Love the work man, keep it up.

I remember these back in 2012-2013 on the macbooks. Our schools website got hacked and everyone who visited got a update pop-up. Most people downloaded it.

If that happened to me I would just look for another tutorial or see if there was a cached/archived version of that website, because I don't want to update.

Literally JUST happened to me and I closed the browser immediately. I am beyond glad I watched this video weeks prior. Thank you.

I have an question i followed an tut how to see if someone hacked your pc by typing netstat in cmd because in last time my laptop is shuting down automaticly and sometimes i cant log in my antivirus programms say nothing (im using kaspersky premium and win defender) but when i type netstat in cmd 1 link ends with 7474 insted https or http PLEASE REPLY HOW TO REMOVE THIS HACKER OR WHATEVER THAT THING IS I WHOULD BE HAPPY

In your video, you said that they probabily steal the passwords saved on the browser. How about on password managers? Extensions or Windows based ones? I know they usually are encrypted on device, but still, are there a chance they can get to it?

Thanks for keeping us informed my dude!!!

I think people who checks email address at work to make sure if it's not a fake or scam will also realize if they need an update for browser and usually browser will do it automatically

Reminds me of one of those popups that says it's an update for your phone.

A question I am curious about when it comes to the passwords being stolen would it be able to steal passwords that are inside a password manager like 1Password?

Set your settings for notification system to high alert and make sure you have system protection on in system configuration for configuration to high as well and turn off the remote tcp settings known as connection crossing in world connections in system configuration. It'll make it a lot more harder for malware and people to get in on your computer. And if you sat admin administrator for certain settings and makes it even harder for them to get into the system. Cuz then they need administrator access but then you have all your configuration so it makes it even harder for configuration access and administrator. Access through remote connections .. my CPU runs at 10%

Never had this problem ever since switching to quad9 DNS and cloudflare DNS with malware filtering

Thanks for sharing these videos. Just found your channel

Good thing I have never used a Chromium based browser. Wise move on my part. My second one was switching to Linux.

Where can we download the Sysinternals tool that you were using to demonstrate the infected file?

Coulda swore I saw something like this and decided against it because I didn't want to reset my browser

I would probably think it’s fake because update google doesn’t just pop up like that in the same tab

ok so the malware executes then hides itself so later if u check process explorer, you wouldnt be able to see it show the total virus to indicate anything bad happens.
so question is, how would u know? people would be oblivious to this. not to mention some malwares also hide their activity when you open task manager, and goes dormant. but later when u close it, it's back to ramping up cpu to 100% up to no good.
would be useful if you taught how us users would be able to detect that and also remove.

Hey Just quick question I have "Control folder access: Enabled" on MS defender mean, even if this run windwos defender will flag it as trying to access my inner root folder hence it will be bloked right??

This reminds me of the good old flash player installer, thanks for covering this program

If you ran Wireshark it would catch all of that. It might not decrypt anything easily but you would have the encrypted file and any IP addresses it went through.

More reasons why I only ever update my browser when the actual update button appears at the top of the browser. I would never manually download a browser update.

I did not know about this but I initiate all my updates. Usually manually or with some programs I let them auto update. But even an auto update will not be going to a fake web site. It seems like the same general good rule of thumb that applies to emails, texts, telephone calls and everything. If it is initiated from the outside, be very cautious. It has been years since I retired from IT but even back in the day when auto protection was not as good, the majority of times I was helping someone with malware it was self inflicted.

who updates browser from website. browser does itself.

Thanks for keeping us informed.

A few days ago I actually got a pop-up like that. It told me to update Chrome if I wanted to go further... but I was using Brave...

That's a nasty one, thanks for the heads up.

What methods are used to hack wordpress websites? What method or methods were used to inject those javascript codes in the articles?

I think I ran into a website that was trying to do this but my AV (ESET) blocked it (doing more research it found some code in a WP theme that someone used). However I never found out if this was the case because my AV simply shut down the connection and blocked the entire site.
For updates, generally I just download the installer again and run it, since it will update the browser in question if it finds an out-of-date version in most cases.

This is why I don't use cookies, because I don't trust my self not to accidently install cookie and other credentials logging virus because of how common they are.

how does one go about hardening their WordPress to avoid this kind of infection?

I am not so tech savy, I have a question :bitdefender or kaspersky installed on my pc would have blocked that file or not?

WOULD u plezzz do the comparison video between Bitdefender , Kaspersky & Norton which one is THE BEST & comes out as winner ....also what is UR FAV or the BEST Antivirus total security software OF this year!

Another rule of thumb is, you update your browser in the about section in the browser itself and not downloaded on any website or ad .

Does it leave anything on your computer if you happen to click on it? If so where to go and delete it.

If I click on a button that says "Update Chrome" and I _download an executable_ I am not visiting that site as long as I remember that.

I have been recently getting some UAC prompts about Google chrome update randomly on my computer when chrome is closed. Every time I click yes. Is this also a virus?

Why didn't you show the network traffic like wireshark or fiddler?

It amazes me that in following your instruction, there is nothing the same in my computer which is running Windows 11. By searching, I have found "properties" and I found "Advanced system setting" but I can not find the page next that you talk about. Help! I want to check. By the way, I don't think I have seen the Google update you are referring

Hello sir, i got this on my pc and everything was stolen, but my problem now is that my pc starts running slow after everything was stolen. Can I ask you where could i start to clean my pc?

i got an ad for chrome’s malware protection before this video

What a blessed channel!

it may just be me, but ive seen these "you need to upsate your browser to view this " or "you need this plug in to view this" for years. they really arent that convincing. im suprised to see this classified "malware" instead of "really basic tactic to mess up people who have literally never surfed the web before."

So only update by going to about and ignore popups that say update correct?

i think i might have installed it, i did found it sus that i need to install an installer for update as it happens in background mostly but the popup appeared automatically in the browser as soon as i opened it twice and not on a site so i did it and seemed petty legit too. Also after i ran the program unlike in the video chrome seemingly installed/reinstalled some stuff and a new "what's new in the update" window appeared. and yeah it happened a while ago like 2-3ish weeks
So i was curious that was it legit or i messed up

Except Chromes update prompt appears in the top right of the browser bar... because it updates automatically in the background.

How does this malware steal passwords? Is it the memorized passwords on the browser (isn't that encrypted?) or the cookie for the sessions?

when adblockers can safe your computer life
oh the websites hate adblockers...

How will I ever find out it this has happened? Would malware bites pick this up? I have the browser guard and paid pro version?

If any webpage would do that to me, just reading the page and boom it spits popup in my face, the first thing I do is open the developer tools and ufking kill the element with the popup. Restore the overflow property on the page body, then continue reading.
If the page would struggle more, and somehow make it absolutely impossible to get to the content without registering, the domain goes straight up into the blacklist. I don't need sites that track me, bomb me with messages, and feed me some "personalized enhanced truth", thank you very much.

What can i do if someone break in to my house and has the ability to get in to my pc over and over again?

Question: I know info stealers steal login details stored in browsers. Does anyone know if they also steal information from browser extensions? eg. can an infostealer steal information from a password manager browser extension like Bitwarden?

I work on the theory that if a site tells me to update my browser or turn off my adblocker then I'm not going to that site irrespective as to whether it is a legit site or not. You want me to visit your site then just let me in. If I have to do a dance then I'll go elsewhere. That's the beauty of the internet. There's always another option waiting.

The scary thing is that it is signed. How can it be signed?

and this is why i don't use manual updates, i'v set it to auto and as far as i know only the real update can auto update, all i see is when i first start the webapp is "its has bin updated to the latest version".
i also hover over all links i'm about to click to see where it leads, if it looks just a tad iffy its a no click for me. same goes for mail, never send me a link because i'll NEVER click links inside mails EVEN if it comes from FRIENDS.
yea i'm this paranoid, and even me do get infected from time 2 time, so i'm constantly changing how i use internet.

it should be common knowldge that chrome will never pop up on a full page asking you to update

I clicked the update button. But never ran the script, deleted it from my downloads and recycling bin. Am I good?

Is it me or Kaspersky prevents the Guardio article from opening?... It claimed it stopped something from downloading yet nothing show up in the logs...

Well not a surprise. Once I got a pretty damn page with a fake Windows desktop, an error saying I have to install a program to cleanup the system because there is no storage left with as well cortana voice as tts. As well they were the first times for me using a computer but I didn't fall for that.

Which Antivirus would you prefer for your Mobil Phone and Pc ? Or waht do you have?

Thank you for the info - I'm asking me if X operation systems would help ? THX

ironically enough, chrome never prompts the user to update, it updates whenever and just tells the user that it has updated

Great info I like it keep me updated 😊👍🏼

well the thing is though for me i always check on Microsoft edge under settings check for updates

I had a similar thing happened to me, I verified for a discord server, and it brought me to a link. The link was saying I needed to update my adobe.

Whats your opinion about ESET NOD32 ? Thanks