To start, having your Google Ads account hijacked can be devastating, and it is just that much worse on the agency level. Your budgets can be spent, your bank accounts can be depleted, and your account history and reputation can be ruined. All of this can also lead to losing advertising clients and maybe worse. We covered some of this in our November story.
"This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe," Eli Smadja, security research group manager at Check Point, said. "What looks like a helpful tutorial can actually be a polished cyber trap. The scale, modularity, and sophistication of this network make it a blueprint for how threat actors now weaponize engagement tools to spread malware."
Independent security researcher Swarang Wade found the vulnerability, which allows anyone to reset the password of any user of the stalkerware app TheTruthSpy and its many companion Android spyware apps, leading to the hijacking of any account on the platform. Given the nature of TheTruthSpy, it's likely that many of its customers are operating it without the consent of their targets, who are unaware that their phone data is being siphoned off to somebody else.