Fake Chrome Update Malware

This is why Ad blockers are a MUST for everyday web browsing. Yet Google wants to take that away from us

Funny you mention that, just yesterday some big phone manufacturer flagged google as malware. Following the forums was kind of hilarious. But that aside.

Imagine my confusion when I got that popup on Firefox 💀

OK, that was pretty scary as my wife asked me about doing an update like this a few days ago, and luckily I said let the auto update do it. Thank you!

Advertisers need to be held liable for all of the malicious ads they put up.

This just goes to show how important it is to NEVER open an .exe file until you are 100% sure it comes from a reputable source

I actually ran into this on a website a few weeks ago. It looked totally suspicous to me and the blue button to "Update Chrome" had some very strange address so I closed the page and notified the owner immediately. I consider myself pretty tech savy and I almost fell for it so the average person would easily fall for something like this.

Step one: don't click every download button you see. Maybe Google should make it clear that chrome updates itself without needing to download random exe files. Maybe they should do something similar to Microsoft, in terms of Microsoft actively detects when you go to a Chrome download to essentially beg you to not. They should detect fake chrome, download pages and warn users.

This is a reminder that "your browser comes with automatic updates" PSA that we sometimes see isn't out of nowhere.
People need to know that every browser these days updates automatically and popups like these are all bogus.

Thank you for educating us and keeping us safe!

This why adblock will never die

This happened to me but from a crack file, I was so stupid and confident about my knowledge since I also use 2FA on all my accounts. I ran the exe file and nothing happened. Then, i wasn’t aware about things like session hijackings and suddenly my youtube has weird ass watch histories, good thing I was able to change it quickly

Reading through the comments, it seems like so many people still have no clue. This problem is not limited to Chrome, or Firefox, or Windows, or Linux. It is a JavaScript thing, so it could happen on any system.
I'll try to summarize and keep it simple for those not as techy.
When you're browsing the web and a pop-up appears telling you need to update your browser, do NOT click on it. Not even when you're browsing your frequently visited sites because these sites could have been hacked to send you the fake prompts.
The malware may steal your accounts' information in split seconds, then unload itself before anti-virus could detect them.
If you need to update your browser or *any* software for that matter, always go through the official website only, and not by some 3rd party or "convenient" pop-up.

good that i know how actually update browser properly, but this ”kind of update” is very scary

There are people who will see their anti-virus block it, then decide to override that decision thinking their AV is wrong because it is “just a Chrome update from Google.”
I think it best if the AV silently blocks it and then if checked for info it shows why.

Let auto update do updates and click nothing especially downloads.
Man it is dangerous out there these days.

That's scary how convinced I would have been by that update page, I would have been really sus of the downloaded file, though.

What's wild about these kind of attacks is that some variants can do their job without any privilege escalation. As long as web browsers use their host OS current user session and credentials to "lock" saved passwords, it will never be secure to keep your passwords saved in them. And attacks targeting opened browser sessions are becoming more common too. Crazy stuff

I remember seeing a fake malware Firefox update that kept popping up years ago when I was using the real Firefox. I accidentally downloaded it not knowing it was fake. I was a kid when I did it and i realized that it was a malware because my grandpa told me it was and I told him I didn't know because it looked real

Another thing to look out for is the site URL when that update page pops up. Definitely not a Google link. And if it pops up in a separate window where it's hidden, a definite no.

Since they can detect the browser that is being used, this same sort of attack / vulnerability can affect any and all browsers (by just displaying the name of the browser rather than “Chrome”), since it tries to take advantage of unsuspecting users.

From my personal experience, Bitdefender would not even approve this download. The file would end up directly in quarantine ☺

If a webpage notifies me my browser is outdated, I just ignore that (especially, when I just updated).
This stuff has been around since ages (For Java, Adobe Flash) and no one should trust it at all.

Could you do a tutorial on how to detect a virus that isn't visible in process explorer, autoruns, tcpviewer etc? Is it possible to do this in a simple way? EDIT. I forgot to mention that I would like to do this manually. As you know yourself, antivirus doesn't always detect everything.

At least on firefox the update is automatically downloaded in the background as soon as you open it, and you can check by open the 3 stripes on the top right corner, go to help and About to see which version you have. That is the proper way to do things, don't do what a popup tells you to do A to get B. The developers automatically update your browser when possible, in the background.

This is why I go directly to the settings menu within chrome or any/every other program to check for updates that has it, never follow a pop up for any kind of download or update, especially if the program doesn't normally stop operating due to a lack of update or if there's a new update available.

Interesting that this came up. My Chrome has been telling me that it can't update for the past few days, and I had a moment the other day where I enabled cookies for something and then I kept getting windows notifications saying my McAfee anti-virus had detected a million viruses. I don't have McAfee installed. I deleted all cookies because I knew what I had clicked and it stopped. But I'm sort of suspicious now.

I will show this video to my students tomorrow!

and this at a time when YT forces ADs which themself can be infected.

I like to think I wouldn't ever fall for stuff like this but considering the sophistication of some of these attacks I 100% could see myself clicking on one of these when I'm tired or in a rush.

I remember these back in 2012-2013 on the macbooks. Our schools website got hacked and everyone who visited got a update pop-up. Most people downloaded it.

Depending on the time of the day, I could have fallen for the "popup"
But I would never click a .exe file for updating anything

Good thing I have never used a Chromium based browser. Wise move on my part. My second one was switching to Linux.

who updates browser from website. browser does itself.

Some white hackers have found ways to get control of a windows host server from the windows virtual host. So testing in a VM is still dangerous even so this specific vulnerability has provably been fixed since.
(Was a virtual box vulnerability)

If that happened to me I would just look for another tutorial or see if there was a cached/archived version of that website, because I don't want to update.

That's a nasty one, thanks for the heads up.

Reminds me of one of those popups that says it's an update for your phone.

Coulda swore I saw something like this and decided against it because I didn't want to reset my browser

People who don't use chrome:
"I'm 4 parallel universes above you"

Set your settings for notification system to high alert and make sure you have system protection on in system configuration for configuration to high as well and turn off the remote tcp settings known as connection crossing in world connections in system configuration. It'll make it a lot more harder for malware and people to get in on your computer. And if you sat admin administrator for certain settings and makes it even harder for them to get into the system. Cuz then they need administrator access but then you have all your configuration so it makes it even harder for configuration access and administrator. Access through remote connections .. my CPU runs at 10%

In your video, you said that they probabily steal the passwords saved on the browser. How about on password managers? Extensions or Windows based ones? I know they usually are encrypted on device, but still, are there a chance they can get to it?

So many people can be saved by just knowing never to open a .exe file unless you initiated it yourself or you know where it's from.. Adblock is invaluable in this example as those pop-ups would be most likely blocked.. There has been multiple times where I have tried to download something and notced it was a weird .exe file with a different name and stopped it in time, thanks to videos like this. Love the work man, keep it up.

I would probably think it’s fake because update google doesn’t just pop up like that in the same tab

Never had this problem ever since switching to quad9 DNS and cloudflare DNS with malware filtering

Literally JUST happened to me and I closed the browser immediately. I am beyond glad I watched this video weeks prior. Thank you.

This is why I don't use cookies, because I don't trust my self not to accidently install cookie and other credentials logging virus because of how common they are.

I think people who checks email address at work to make sure if it's not a fake or scam will also realize if they need an update for browser and usually browser will do it automatically

I work on the theory that if a site tells me to update my browser or turn off my adblocker then I'm not going to that site irrespective as to whether it is a legit site or not. You want me to visit your site then just let me in. If I have to do a dance then I'll go elsewhere. That's the beauty of the internet. There's always another option waiting.

If you ran Wireshark it would catch all of that. It might not decrypt anything easily but you would have the encrypted file and any IP addresses it went through.

This reminds me of the good old flash player installer, thanks for covering this program

A few days ago I actually got a pop-up like that. It told me to update Chrome if I wanted to go further... but I was using Brave...

ok so the malware executes then hides itself so later if u check process explorer, you wouldnt be able to see it show the total virus to indicate anything bad happens.
so question is, how would u know? people would be oblivious to this. not to mention some malwares also hide their activity when you open task manager, and goes dormant. but later when u close it, it's back to ramping up cpu to 100% up to no good.
would be useful if you taught how us users would be able to detect that and also remove.

5:45 jokes on you. My firefox update is disabled

when adblockers can safe your computer life
oh the websites hate adblockers...

i got an ad for chrome’s malware protection before this video

Thank you for the in depth rundown! I do have a question though: how effective are these types of stealers when using Firefox's Master password or Edge's 2fa? Thanks!

it may just be me, but ive seen these "you need to upsate your browser to view this " or "you need this plug in to view this" for years. they really arent that convincing. im suprised to see this classified "malware" instead of "really basic tactic to mess up people who have literally never surfed the web before."

this clearly tells me that everyone could fall for it so just remember to activate 2fa on each account you have.

If I click on a button that says "Update Chrome" and I _download an executable_ I am not visiting that site as long as I remember that.

People should know that Chrome never prompts you to update. The only safe and sure way to update chrome is to click the three dots in the upper right corner, go down to "Help" and select "About Google Chrome". There Chrome will check to see if you're up to date and update if necessary.

I did not know about this but I initiate all my updates. Usually manually or with some programs I let them auto update. But even an auto update will not be going to a fake web site. It seems like the same general good rule of thumb that applies to emails, texts, telephone calls and everything. If it is initiated from the outside, be very cautious. It has been years since I retired from IT but even back in the day when auto protection was not as good, the majority of times I was helping someone with malware it was self inflicted.

Moral of this story don't use Chrome.

More reasons why I only ever update my browser when the actual update button appears at the top of the browser. I would never manually download a browser update.

"they think it's a message from an angel" 😭😭

i don't understand why anyone born before 2000 uses google chrome.

If any webpage would do that to me, just reading the page and boom it spits popup in my face, the first thing I do is open the developer tools and ufking kill the element with the popup. Restore the overflow property on the page body, then continue reading.
If the page would struggle more, and somehow make it absolutely impossible to get to the content without registering, the domain goes straight up into the blacklist. I don't need sites that track me, bomb me with messages, and feed me some "personalized enhanced truth", thank you very much.

Another rule of thumb is, you update your browser in the about section in the browser itself and not downloaded on any website or ad .

I have an question i followed an tut how to see if someone hacked your pc by typing netstat in cmd because in last time my laptop is shuting down automaticly and sometimes i cant log in my antivirus programms say nothing (im using kaspersky premium and win defender) but when i type netstat in cmd 1 link ends with 7474 insted https or http PLEASE REPLY HOW TO REMOVE THIS HACKER OR WHATEVER THAT THING IS I WHOULD BE HAPPY

Thanks for keeping us informed my dude!!!

Great video, spreading awareness on such topic is very significant. I would likely fall for it because it seems very convincing

Glad I just happened to uninstall chrome recently due to other issues with the parent company.

ironically enough, chrome never prompts the user to update, it updates whenever and just tells the user that it has updated

Was asked to update Microsoft edge multiple times on my old laptop I only use for like.. games and what not but yea. I never realized anything wrong since I don't really have any sites logged in on there. I think it was a legit update.

Just warned my sister not to fall for these popups, thank you.

How does this malware steal passwords? Is it the memorized passwords on the browser (isn't that encrypted?) or the cookie for the sessions?

I feel like this is why the FBI recommends adblockers.

Ha, this is excellent! Phishing and social engineering will always be with us. Slow down, folks, there's danger everywhere!

A question I am curious about when it comes to the passwords being stolen would it be able to steal passwords that are inside a password manager like 1Password?

Why would any rational person update from a random pop-up, instead of checking their actual browser... to see if there really IS an update pending?
Yeah, I AM paranoid. Paranoia IS you friend.

it should be common knowldge that chrome will never pop up on a full page asking you to update

The scary thing is that it is signed. How can it be signed?

honestly, I wouldn’t fall for this scam because Chrome doesn’t do that for updates. It updates within the browser, no downloading a EXE file, it just updates in the background and you just need to restart Chrome once it’s done updating.

I think I ran into a website that was trying to do this but my AV (ESET) blocked it (doing more research it found some code in a WP theme that someone used). However I never found out if this was the case because my AV simply shut down the connection and blocked the entire site.
For updates, generally I just download the installer again and run it, since it will update the browser in question if it finds an out-of-date version in most cases.

There is similar incident on Facebook few years ago where the Facebook login just suddenly pop up although you are already log in. Many Facebook user have been hacked on that phishing pop up. So read the URL as always. If the URL is from another DNS, be suspicious.

how does one go about hardening their WordPress to avoid this kind of infection?

In those cases, "that all your passwords getting hacked", can a passwort manager, with a master password, somehow prevent this? Or we just talking about, passwords saved inside, for example, chrome?

And this is why adblock is necessary.

and this is why i don't use manual updates, i'v set it to auto and as far as i know only the real update can auto update, all i see is when i first start the webapp is "its has bin updated to the latest version".
i also hover over all links i'm about to click to see where it leads, if it looks just a tad iffy its a no click for me. same goes for mail, never send me a link because i'll NEVER click links inside mails EVEN if it comes from FRIENDS.
yea i'm this paranoid, and even me do get infected from time 2 time, so i'm constantly changing how i use internet.

At the beginning of this video, I was thinking of Guardio. And indeed it can actually block that dam* website.

At 2:31 I panicked because I thought that was my notification lmao.

Thanks for keeping us informed.

Could you send so much data to the person who is collecting the data to overwhelm it?

bruh... I'm chrome user and chrome always let me update from "top right bar"

this happened to me most liekly, all of my passwords got hacked and some were only saved on chrome which i stopped using months ago but never deleted any of my passwords, i used chrome here and there when opera wouldnt let me access a website, probably should of listened to opera

This is an out of the box question. Microsoft Windows 11 always shows me an update for HP Firmware for SSD. Firmware should not be installed over and over again right. Once its installed that's it. I don't know why they keep pushing these updates through windows

Worst malware attack ever. Zero users clicked to update their browser.

Google should flag those fakes instead of blocking more ads……

this is quite creepy, ngl. thankfully i know firefox doesn't do this kind of update. you always gotta go to "help" and "about firefox" to update it and then firefox will send you the files needed. no exe or anything.

So it is clear that you ONLY update from the originating website and NEVER from a popup window!