Fake Google Chrome update contains nasty malware: Avoid this right now

The Google Chrome browser displayed on the screen of a Windows laptop.
(Image credit: pixinoo/Shutterstock)

Cybercriminals have created fake Google Chrome browser updates that infect Windows users with many kinds of malware in a multi-step but relentless process, Russian antivirus firm Dr. Web has found.

"The target audience is users from the USA, Canada, Australia, Great Britain, Israel, and Turkey, using the Google Chrome browser," Dr. Web researchers said in a blog post yesterday (March 25).

As of this morning (March 26), the malware, which comes in two similar variants, had been downloaded more than 3,000 times, according to logs on the legitimate code repository used to store the malware. 

One of the phony installer programs, called "Critical_Update.exe", was created March 13. The other, "Update.exe", was created only yesterday.

How to avoid the phony Google Chrome installer

To make sure you don't fall victim to this attack, install and use some of the best antivirus software, which will eventually detect and block the malware involved. (Only a handful of antivirus brands can easily detect it as of this writing, according to the malware-detection index VirusTotal.) 

You could also use Mozilla Firefox exclusively for the next few days until the bulk of the antivirus firms catch up and block the threat. As Microsoft Edge now shares its underpinnings with Chrome, we'd steer clear of that out of caution. 

But more importantly, do NOT install anything from a website that informs you that you need to update the Google Chrome browser. Chrome doesn't work that way -- it updates on its own, behind the scenes, and you rarely need to do anything if you've already got it installed. 

Stages of attack

The attack operates in several stages. First, the hackers attack vulnerable WordPress-based websites, "from online news blogs to corporate pages," as Dr. Web put it, and insert malicious but invisible JavaScript code to the sites' web pages. 

Visitors to the corrupted sites who are using Google Chrome will be silently redirected to bogus Google pages that inform the visitors they need to update their browsers, with a handy button for download. 

If the victims fall for the trick and install the "updates," they'll actually be installing TeamViewer, a legitimate remote-desktop tool that gives the hackers real-time remote control of your computer. They'll also install a script that makes sure that the Microsoft Defender antivirus software built into Windows is unaware of what's going on.

Dr. Web researchers said the hackers, using TeamViewer, would then install spyware on the infected computers, or keyloggers to capture passwords and usernames. In fact, the hackers could install pretty much anything on your machine, including ransomware, cryptocurrency stealers or botnet malware.

(Tech-savvy users can try blocking TeamViewer's preferred port, port 5938. But TeamViewer then defaults to using ports 443 and 80, and blocking those would block all web traffic.)

A message to WordPress users

Millions of websites use the free WordPress web-publishing platform, and the core WordPress developers fix security flaws quickly. The problem is that WordPress, an an open platform, has thousands of optional plug-ins that can be written by anyone and then used by website administrators to add features and functions.

Many of those third-party plug-ins have security holes that criminals can discover and exploit, and a few of them are definitely malicious. 

If you use WordPress for your blog or website, please keep your core WordPress build updated and be very careful about using plug-ins.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.