Google's AI Search Caught Pushing Users to Download Malware

Click Here!

Google's AI-integrated Search feature is leading platform users straight to malware-laden spam sites.

Per BleepingComputer, the issue was first caught by search engine optimization (SEO) expert Lily Ray, who took to X-formerly-Twitter last week to show that Google's AI-powered Search Generative Experience (SGE) — which churns up web content and regurgitates it into paraphrased snippets — had returned numerous spam pages in response to the query "pitbull puppy for sale craigslist."

"OH GOOD," Ray tweeted, along with a screenshot. "SGE WILL EVEN RECOMMEND THE SPAM SITES AS PART OF THE ANSWER."

That SGE isn't yet able to reliably distinguish useful search results from full-on SEO spam, especially considering Google's recent and wide-ranging spam crackdown, is issue enough on its own. Unfortunately for Google, though, this particular SGE error only got worse from there.

When the folks at BleepingComputer visited the AI-recommended spam sites themselves, they were met with a barrage of scammy fake captcha and YouTube pages designed to trick visitors into subscribing to spammy browser notifications that flood their computers with unwanted advertisements — some of which sought personal information from users — and even browser extensions that hijack search queries.

In other words, Google's SGE led BeepingComputer directly to fraudulent malware.

https://twitter.com/lilyraynyc/status/1771217301863289140

Fresh Paint

Google, for its part, told BleepingComputer that it has "taken action under our policies to remove the examples shared, which were showing up for uncommon queries." Additionally, a Google spokesperson told Futurism that this was an instance where the SGE user had to actually click SGE's "generate" button to get these results, meaning that the spammy answers didn't show up automatically.

"We utilize our core anti-spam protections to safeguard SGE from low-quality content for the vast majority of queries," the spokesperson added, further emphasizing that SGE is still primarily an opt-in feature.

To be fair, spam and malware are unfortunate facts of the web, and searchers make the mistake of clicking on sneaky links like this all the time.

But as BleepingComputer points out, the integration of these links into convincingly paraphrased SGE snippets lends an added layer of legitimacy to the harmful content. The spam sites that showed up in Ray and BeepingComputer's searches each had sketchy-looking URLs that your average searcher might have avoided. When rehashed by SGE, though, the malware-packed links got new coats of paint.

Spam is nothing new. But SGE is — and as this incident reveals, we can likely expect many of today's search woes to persist in a new, AI-organized search landscape.

Updated with a statement from Google.

More on Google SGE: Google's Search AI Says Slavery Was Good, Actually