Back in the early 2000s I helped create policy and procedures at Google to stop this kind of thing. Google's early anti-malware policies, extended to ads, and internal procedures to make sure we effectively stopped malware ads. That was a long time ago though and it's sad and frustrating to read it's not working so well now.

In particular the article points out several big red flags about how malware scanners are automatically finding the site and download are suspicious. It's a shame Google Ads isn't using that information.

(As for DownloadStudio, they have a Wikipedia page that looks 100% innocuous. Searching for "DownloadStudio" has Google search offering an inline answer to "Is DownloadStudio safe" with a reference to the website for DownloadStudio saying "yes it's safe". In this case the inline result is actively harmful. https://i.imgur.com/37GzDKe.png)

The malvertisement thing has become real bad. The other day I had a problem so I used chrome, where I unfortunately hadn't installed an add blocker yet. I searched for my bank (I know, I should have put the URL in directly, but I was being lazy since it was a new chrome install and I didn't have the url in my history yet). I hit the first link, logged in (my password manager would have saved me here, but again it wasn't installed), and realized that it was a fake website.

Fortunately I changed my password again before it was an issue- and then my bank locked my account when they saw the suspicious activity. So nothing bad really happened to me other than some inconvenience. However I'm still amazed that Google would let their search results get poisoned with these ads for phishing sites.

Took me a while to understand what "using Google to download software" means. Was there a hidden functionality I wasn't aware of? Turns out, what they mean is "don't use Google to search for software you wish to download".

I once saw a google search ad result for a malware version of GNU Cash. It was extremely easy to miss. The website was identical except the Windows download was replaced with malware instead of linking to Sourceforge. The malware installer was signed with a key from a random Taiwanese electronics company (likely stolen). I emailed DigiCert and got the cert revoked. None of the scanners on VirusTotal flagged the installer. A GNU Cash malware wouldn't need to do any typical malware behavior (crypto mining, ransomware) because they could just send off your bank account credentials. Within half an hour of uploading to VirusTotal the website was replaced with a placeholder blog.

Google was once considered trustworthy. It never was, but we thought it trustworthy. Where can you find a trustworthy source for software? Depends on your platform. Linux: Your package manager. In my case, apt. Mac: Apple has an app store of its own. Use that, or one of the BSD package management systems ported over. Ios: Apple app store is decently curated. Android: Google's app store is terribly curated. Give up now. Windows: Nobody uses whatever app store or package management system that microsoft developed. A third party developed a useful package management system. It is called Steam. Other platforms: see replies below.

Honestly - just stop using Google search (and while I remain flabberghasted I'm saying this - Edge is a better chromium browser than Chrome.). Or better yet, any Google product. The company is diving off a cliff.

For reference... A private Jellyfin server I use for hosting videos of my kid for his grandparents, and some music I legally own is consistently flagged as phishing (along with basically anyone else hosting them publicly based on this thread: https://github.com/jellyfin/jellyfin-web/issues/4076)

Google has "automated" itself into the garbage.

Well, fortunately, I never click the "Ad" sponsored links and most of the time I don't see them anyways (uBlock). That doesn't help the other 90% of users online though.

All the more reason to use an adblocker. Online ads are the most common way that malware gets injected into otherwise trustworthy websites.

This article is too kind. We're supposed to believe that all the brilliant minds at Google can't keep ahead of scammers? Sorry, but I don't believe that.

On the other hand, I do give Google credit for knowing when they can make more money by allowing a problem to exist than by fixing it.

Google got everyone hooked by being decent, by giving good search results, by giving people decent and free-ish email accounts, et cetera. Now it's all going to shit, because they've got everyone hooked so their free(ish) offerings don't need to be good any more.

My guess is that search sucks because they can extract more money from advertisers who want to buy their way out from under scammers.

Email sucks because they want people to have to pay to get any answers when things are problematic, and we no that no normal human being can correspond with any human that works for Google without giving them money. A majority of the phishing spam I receive now come directly from Google's shitty mail services.

Perhaps Google wants software providers to "buy" their way in to a higher position than scammers. Or perhaps Google wants software environments to seem to suck to make the Android marketplace better by comparison. I can't imagine any other reasons why Google would play dumb and allow this kind of gaming of their search results.

> It is difficult to get a man to understand something when his salary depends on his not understanding it.

- Upton Sinclair

Google doesn't exactly care about this because they still get paid for the click. The malware companies are willing to bid extremely high for that single click (since they end up pwning your computer).

Was looking at a fake Audacity site just the other day. I couldn't believe it was the number one search result when I was researching progress on the project's UI redesign.

- Install Firefox. To hell with Chrome as it's just a tracking device wrapped in a web browser.

- Install a proper ad blocker. To hell with advertisments in search engines.

- Swap Google for DuckDuckGo.

Contrarian viewpoint:

When in the history of the web could you blindly download something from a page found by a search engine and install it?

When has any search index ever conferred that level of trust to a result?

I don't remember any year when you couldn't use a major search engine to find many an asshole site promising that the sought-after content is available if you first download and run their malware .exe file.

"I found this page via Google, therefore its downloads are trustworthy" isn't a thing, hasn't ever, and likely isn't going to be any time soon (and implementing it would have downsides).

One solution is ad transparency and have company verifies details in all advertisiments. Facebook already does this for political ads AFAIK.

I think we're moving back towards a 90s version of the web again. No search, just a list of hand curated sites of people who's opinions we trust. The only thing is now these will be likes specs of gold drowning in a sea of shit.

It seems as though using an adblocker has become more important in terms of security posture than having an antivirus running, or keeping your system up to date.

Google owns VirusTotal... so why doesn't search get fed info from VirusTotal?

Who search for installers on web should know about winget, scoop or chocolatey.

https://winget.run/

https://scoop.sh/

https://chocolatey.org/

For those who don't like command line, there is WingetUI: https://github.com/marticliment/WingetUI

We should abandon old, inefficient and now dangerous habits.

Every time I read these articles I am so happy that the sponsored links are blocked by Pi-hole. Makes my family furious because it also disables all the shopping links as well, but well worth it imo.

Just to jump on the anti-google bandwagon, google news search has fell off a cliff over the past decade. Can anyone recommend a news search that allows me to filter by year or year range?

Think twice before using Google.

I feel lost reading articles like this. Then I realize people still use Google search. I switched six years ago to Duck.com and I’m never looking back.

I block all advertising links via DNS at my router. The first full page of Google links that are all ads are just broken links for me.

I wonder how the morale is on the Google search team these days.

Maybe they can make a paid search that eliminates all affiliate sites in the results.

Everyone should be using a package manager / store to get software, or from the official site.

If they're not available, then get the vendor to publish them there. Winget / Choco / Scoop or even Windows Store. Same with whatever people use on Linux distros.

We're going to end up in a weird situation where we just download all this stuff through storefronts like Steam instead of open websites on Google, if they keep this up.

Doesn't help that Windows' own app store is a huge mess on Windows 10 - and presumably 11.

Google's advertising has actually helped other search engines be safer and more useful. Google search acts as a magnet for all the crap you don't want when searching.

Brave search, DDG, Searx, etc are all cleaner and therefore more useful.

I can’t replicate this. Maybe it’s because I’m logged into Google when I search?

Do the fake click methods still work for driving up click cost of advertising? Maybe... we...ahem should launch a fake click campaign on these malware advertisers to attack their ad spend budget?

Isn’t this the norm for search engines? Guess you privileged westerners don’t know about Google’s alternative *in china* Baidu. Regular users just try to avoid every download link directly from it.

Confused why google isn't all over this double stat?

If their advert area develops a reputation for being bad & untrustworthy then their business model breaks on a pretty fundamental level.

Malware has been accompanied by lots more porn in Google search results in the past quarter.

I switched to Duck Duck Go some time ago, but I hadn't required it for extended family. Now I do.

not so surprising when read about what a dump google ads has become: https://www.propublica.org/article/google-display-ads-piracy...

Well, this is one way Google the $1.4T publicly-traded company can raise their ad revenue.

There must be a browser addon that removes the ads from Google search results.

pihole

The actual lesson here appears to be don't use Microsoft Windows.

Why isn't Google fined for distributing malware?

Google's search product has become a shadow of its former self. Every year it seems harder to find what I'm looking for. The top half of the first search result page is now (potentially malicious) ads, and what follows is likely SEO spam. I need to add "reddit" or "stackoverflow" to half my searches these days so I'm not served nearly useless results. It's a sad decline from 10+ years ago when I'd type a half-formed thought into the search box and I'd get the answer.

It boggles my mind that neither macOS nor Windows has an official, comprehensive package manager. Sometimes the only way to get software is to download binaries from a Google search like it's 2003.

On macOS, 90% of what you'd ever need is on Homebrew—this is more or less a solved problem—but it's still unofficial and Apple promotes their pointless App Store instead.

In Windows land, the unofficial package managers are nowhere near comprehensive (understandable, I guess), but you'd think with Microsoft's approach toward WSL and GitHub, they would have an officially supported HomeBrew-like alternative.