Scam emails are spreading a fake update for the Google Chrome browser. This app is called “Google Chrome Update”. It impersonates Google Chrome and pretends to install a security update. In the background, it tries to log the user and computer names and send this info to a certain website.
This version of the fake “Google Chrome Update” app is not dangerous, but a different version of this app could cause real harm.
Scam Emails Google Chrome Update quicklinks
- How the “Google Chrome Update” scam works
- Scam emails impersonate Google
- Malicious site downloads a fake update
- The fake update logs user info
- How to avoid fake updates
- Automatic Malware removal tools
About the “Google Chrome Update” scam:
|Type of threat||Trojan,
|How the scam spreads||Malicious emails impersonate Google and link to a website,
the website downloads a suspicious file.
|How to avoid browser update scams||Don’t trust online alerts and email messages to update your browser,
use anti-malware apps like Malwarebytes to protect your computer.
|How to deal with the “Google Chrome Update” scam||Delete fake update files,
make sure your computer is protected with an antivirus program.
How the “Google Chrome Update” scam works
Cybersecurity company Cofense wrote about a scheme in which attackers spread a fake Google Chrome patch via malicious emails. Attackers send malicious emails that impersonate Google Chrome and direct people to download a fake Chrome update app.
In reality, the app collects a bit of information about the user and sends it to a website.
Scam emails impersonate Google
The scam begins with an email titled “Google Chrome Update”. This email urges the recipient to “update” their Chrome browser, or else it’ll supposedly stop working right.
In response to a recently reported security vulnerability, CVE-2021-30554, Google Chrome browser has been upgraded. It is recommended that you apply the update immediately.
If you fail to do so within 48 hours, the Google Chrome version you are using may cease to function correctly.
We apologise for any inconvenience.
The email includes a link called “Update”.
Malicious site downloads a fake update
Clicking the “Update” link opens a web page. This page automatically downloads a file called “update.hta”.
A few antivirus scanners flag the web page: Virustotal.com. But the little fake updater is flagged by only two scanners at the time of writing: Virustotal.com. The good news is that the fake updater is not that dangerous. But this could change in the future.
The fake update logs user info
The file “update.hta” is a standalone program. Hta is a sort of Windows program – kind of like Exe, just a different format.
Running “update.hta” opens a little window with a “Run Update” button. Clicking this button shows a little progress animation and then a message “Update successfully applied”. All this is just for show.
According to Cofense and the code that makes up “update.hta” (you can see it by opening the app in a text editor), all that the fake updater does is collect the user’s username and computer name and try to send this info to a certain website.
That’s not too bad, but it could have been worse.
I’ve been referring to the fake update as a scam, but it could also be considered a trojan. Trojans are malicious programs that are disguised as legitimate software. That’s exactly what the “Google Chrome Update” scheme does – impersonate a trusted company, Google, and encourage the victim to run an unknown program.
For now, there’s not much to be done besides deleting “update.hta”.
How to avoid fake updates
The important thing to know is that Google Chrome updates automatically (and so do other web browsers). You don’t need to do anything. Maybe relaunch the browser every few days if you keep it running all the time.
There are many fake browser updates out there. Important Chrome update available pop-ups install malicious browser add-ons or download files. Click Allow to update your browser alerts hijack notifications to display unwanted ads.
A year ago, Proofpoint described a similar scam. There, links to malicious sites were emailed to victims. The malicious sites would recognize what browser the victim was using and impersonate that browser’s developer.
Any time you see a message online or in your email to update your browser, it’s likely fake. Especially if it wants you to download a file or install a browser extension. If you’re working, forward the suspicious message to your IT staff.
To protect yourself, you can use an anti-malware app such as Malwarebytes (it’s a security app that is especially sensitive to mild threats and can be used together with an antivirus tool). It also helps to use an email client with a good spam filter and install a reputable ad blocker.
Automatic Malware removal tools