Fake Google Chrome update contains nasty malware: Avoid this right now

The Google Chrome browser displayed on the screen of a Windows laptop.
(Image credit: pixinoo/Shutterstock)

Cybercriminals have created fake Google Chrome browser updates that infect Windows users with many kinds of malware in a multi-step but relentless process, Russian antivirus firm Dr. Web has found.

"The target audience is users from the USA, Canada, Australia, Great Britain, Israel, and Turkey, using the Google Chrome browser," Dr. Web researchers said in a blog post yesterday (March 25).

As of this morning (March 26), the malware, which comes in two similar variants, had been downloaded more than 3,000 times, according to logs on the legitimate code repository used to store the malware. 

One of the phony installer programs, called "Critical_Update.exe", was created March 13. The other, "Update.exe", was created only yesterday.

How to avoid the phony Google Chrome installer

To make sure you don't fall victim to this attack, install and use some of the best antivirus software, which will eventually detect and block the malware involved. (Only a handful of antivirus brands can easily detect it as of this writing, according to the malware-detection index VirusTotal.) 

You could also use Mozilla Firefox exclusively for the next few days until the bulk of the antivirus firms catch up and block the threat. As Microsoft Edge now shares its underpinnings with Chrome, we'd steer clear of that out of caution. 

But more importantly, do NOT install anything from a website that informs you that you need to update the Google Chrome browser. Chrome doesn't work that way -- it updates on its own, behind the scenes, and you rarely need to do anything if you've already got it installed. 

Stages of attack

The attack operates in several stages. First, the hackers attack vulnerable WordPress-based websites, "from online news blogs to corporate pages," as Dr. Web put it, and insert malicious but invisible JavaScript code to the sites' web pages. 

Visitors to the corrupted sites who are using Google Chrome will be silently redirected to bogus Google pages that inform the visitors they need to update their browsers, with a handy button for download. 

If the victims fall for the trick and install the "updates," they'll actually be installing TeamViewer, a legitimate remote-desktop tool that gives the hackers real-time remote control of your computer. They'll also install a script that makes sure that the Microsoft Defender antivirus software built into Windows is unaware of what's going on.

Dr. Web researchers said the hackers, using TeamViewer, would then install spyware on the infected computers, or keyloggers to capture passwords and usernames. In fact, the hackers could install pretty much anything on your machine, including ransomware, cryptocurrency stealers or botnet malware.

(Tech-savvy users can try blocking TeamViewer's preferred port, port 5938. But TeamViewer then defaults to using ports 443 and 80, and blocking those would block all web traffic.)

A message to WordPress users

Millions of websites use the free WordPress web-publishing platform, and the core WordPress developers fix security flaws quickly. The problem is that WordPress, an an open platform, has thousands of optional plug-ins that can be written by anyone and then used by website administrators to add features and functions.

Many of those third-party plug-ins have security holes that criminals can discover and exploit, and a few of them are definitely malicious. 

If you use WordPress for your blog or website, please keep your core WordPress build updated and be very careful about using plug-ins.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Browsers
iPhone 16 Pro Max shown in hand
Your iPhone has a custom voice command feature — here's how to use it
iPhone 16 Pro Max shown in hand
You can change your iPhone's default browser — here's how
Google Chrome on Android
How to stop your personal data from appearing in Google searches
Opera Air
I just tested the world’s first mindful browser — it’s calmly convinced me to ditch Google Chrome
A photo of the Google Chrome logo on a white background, displayed on the screen of a large MacBook Pro which is situated on a table with green foliage behind.
Google Chrome just got three new modes — and it's a game changer for performance
Google Calendar app on iPhone
Google Calendar just got the dark mode we’ve been waiting for — here’s how to activate it
Latest in News
Apple Peek Performance
Apple makes a move to revive its Siri revamp — and the Vision Pro boss could play a part
NYTimes Connections
NYT Connections today hints and answers — Friday, March 21 (#649)
Xbox Elite Wireless Controller Series 2
Deleted image reveals Steam games in the Xbox app — here's what it could mean
Adam Scott and Britt Lower in "Severance."
‘Severance’ season 2 finale explained — we finally just got some answers
Severance season 2 finale
How to watch 'Severance' finale online – stream final episode of season 2 tonight
Render of the alleged design of the iPhone 17 Pro
New iPhone 17 Pro dummy leak highlights redesigned camera and part glass body