The lure: a popup that looks like Chrome

The fake Chrome update scam delivers two ways. The first is a browser-fullscreen popup that uses the JavaScript fullscreen API to hide your address bar, tab strip, and close button. It uses the exact Google blue (#1A73E8), the rounded Chrome logo, the Google Sans font, and the same panel layout as chrome://settings/help. The second is an in-page overlay floating above the page with a centered modal that mimics the real Chrome update card.

Both say roughly the same thing: "Your Chrome browser (version 119.0.x) is outdated. A critical security update is available. Update now." Click and a file downloads. The pattern is consistent: ChromeUpdate.exe, GoogleChromeSetup.exe, Chrome-Update-119.msi, on Mac ChromeInstaller.dmg, on Android an .apk. That download is the malware. The "version 119.0.x" the popup shows is not your real version - it is a number the script generated on the fly.

The 5 variants in active rotation in 2026

1. SocGholish / FakeUpdates (the most prevalent)

SocGholish is a malware delivery framework Mandiant has tracked since 2018. It compromises legitimate WordPress and Drupal sites through outdated plugins, then injects JavaScript that profiles the visitor's browser and displays a matching fake update overlay. Visit a compromised recipe blog in Chrome and you see a Chrome popup; in Firefox, a Firefox popup. Mandiant M-Trends 2024 flags SocGholish as one of the top initial-access vectors observed in incident response. Cisco Talos has documented it dropping NetSupport RAT, AsyncRAT, and Cobalt Strike beacons.

2. Fake "update WebView2" / "update Edge" / "update Safari"

Same scam, different brand. The Safari variant on Mac usually offers a .dmg file containing an Adload or Atomic Stealer payload, flagged in public Apple XProtect updates throughout 2024 and 2025.

3. Video codec required

Common on illegal streaming, sports piracy, and adult sites. The page says "Your browser cannot play this video. Install the missing codec." The download is named VideoCodec.exe but the payload is identical: usually LummaC2 or Redline.

4. Fake Chrome update on Android (.apk sideload)

The page shows "Update Chrome now" and downloads an .apk. Because sideloaded APKs require "Install from unknown sources," the page includes a guide to flip the toggle. The APK is typically a banking trojan: TrickMo, BRATA, Anatsa, or FluBot, all reported on by Google's Threat Analysis Group.

5. Malvertising redirects

Delivered through programmatic ad networks rather than compromised sites. A legitimate site serves an ad slot, a malicious advertiser buys it, and the visitor is redirected. Google, Microsoft, and Yahoo ad networks have all been hit in 2025 and 2026 per public ad-network transparency reports.

Why the scam works on careful users

People who know not to click "your computer has 5 viruses" popups still click "your Chrome is outdated." Three reasons.

Chrome itself does prompt users to update sometimes. When a real update has been downloaded in the background, the three-dot menu icon turns green, orange, or red. Users are trained to expect update prompts, so "Update now" lands on a believable expectation.

The visual design is precise. The scam pages use the exact Google blue, the Google Sans font, the official Chrome logo SVG, and the layout of chrome://settings/help. A user glancing at the popup sees Chrome.

The user runs the malware themselves. The download is just a file. No exploit, no zero-day. The Microsoft Digital Defense Report 2024 identifies user-executed payloads as the highest-growth initial-access technique, precisely because no software vulnerability has to exist for the attack to succeed.

What the malware actually does

The payload is almost always a loader that installs follow-on malware in one of three categories.

Info-stealers. The two dominant families in 2026 are LummaC2 and Redline Stealer, sold as malware-as-a-service. CISA has issued joint advisories on the info-stealer ecosystem, and the FBI's IC3 flags post-stealer credential-stuffing as one of the fastest-growing reported fraud categories. Within 30 to 60 seconds, the stealer collects saved browser passwords from Chrome, Firefox, Edge, and Brave; cookies and session tokens (which bypass two-factor authentication); cryptocurrency wallet files; browser extension data for MetaMask, Phantom, Trust Wallet, Coinbase Wallet, and Rabby; Discord and Telegram session tokens; and clipboard contents. That bundle uploads to the attacker's C2 within minutes.

Remote-access trojans. SocGholish favours NetSupport RAT, documented by Cisco Talos across hundreds of incidents. A RAT gives the attacker live keyboard, screen, and file-system access, opening the door to account takeover and lateral movement on corporate networks.

Ransomware loaders. Mandiant M-Trends 2024 and the Verizon Data Breach Investigations Report 2024 both link SocGholish initial access to follow-on ransomware by affiliates of LockBit, BlackCat, and other major groups. Fake Chrome updates on corporate laptops have been documented entry points for multi-million-dollar ransomware events.

The 7 red flags (any one is enough)

  • Chrome never updates from a website. The only legitimate Chrome update channel is the built-in updater that runs in the background. You see it at chrome://settings/help or in the three-dot menu when a green/orange/red badge appears. A webpage cannot update your browser.
  • The popup is fullscreen or blocks closing. Real Chrome updates do not request fullscreen, do not disable your back button, and do not hide your tab strip.
  • The page says you are "outdated" but Chrome auto-updates silently. Chrome's default behaviour is to download updates in the background and apply them on next restart. Most users on default settings are already current.
  • It asks you to download an .exe, .msi, .dmg, or .apk. The legitimate update channel never asks for an installer file download. The background updater unpacks it from inside the Chrome application directory.
  • The domain is unrelated to Google. Real Chrome update infrastructure lives on google.com, chrome.com, or googleapis.com subdomains. Any other domain serving an "update Chrome" popup is foreign script.
  • Brand mismatch between URL bar and popup. Even when the popup screams "Chrome," the URL bar shows the host site. Looking at the URL bar breaks the illusion.
  • Audio alarm or repeated alerts. Real Chrome update notifications are silent. Beeping audio paired with an urgent update message is a tell.

Safe verification: the only legitimate update channel

Type chrome://settings/help into your address bar and press Enter. The "About Chrome" page either says "Chrome is up to date" with your current version, or it downloads the latest update in front of you. No website, no download button, no file in Downloads. You watch the version tick up, click "Relaunch," and Chrome restarts on the new version. That is the entire procedure. Firefox updates at about:preferences#general. Edge at edge://settings/help. Safari ships with macOS system updates. Any UI that tries to update one of these from a webpage is hostile.

Recovery if you already downloaded the file

If the file is in Downloads but you did not run it. The malware has not executed. Delete the file, empty the trash, and optionally run a Defender or Malwarebytes scan on Downloads. No further action needed.

If you ran the file. Assume info-stealer execution and move fast. The first 60 minutes are the highest-value window for the attacker.

  1. Disconnect from the internet immediately. Unplug Ethernet or turn off Wi-Fi. This breaks the connection to the C2 server before the stealer uploads its data, and prevents any RAT from establishing a reverse shell.
  2. Boot into Safe Mode (Windows) or restart holding Shift (Mac). Safe mode disables most third-party startup processes, including malware registered for autostart.
  3. Run a full scan with Malwarebytes and Windows Defender. Both detect SocGholish, NetSupport RAT, LummaC2, and Redline. Quarantine everything flagged. CISA publishes free IR tooling at cisa.gov.
  4. Change every saved password from a clean device. Start with email (it resets every other account), then banking, crypto exchanges, social. Assume every browser-saved password is stolen.
  5. Revoke all active sessions. Sign out all devices from Google, Microsoft, Apple, Discord, Telegram, social, and banking. Cookie-theft bypasses 2FA, so password rotation alone is not enough.
  6. Check crypto wallet activity. For MetaMask, Phantom, Trust Wallet, Coinbase Wallet, or Rabby, check a block explorer for unexpected outgoing transactions. If drained, see our wallet drained guide. Rotate seed phrases - a stolen vault means the wallet is permanently compromised.
  7. File a report at ic3.gov if money was lost. The FBI's IC3 logs it for future enforcement and creates a paper trail some banks and insurers require for fraud claims.
  8. Consider a clean OS install. If the loader dropped a RAT, full persistence may exist. Wiping and reinstalling is the only certain remediation.

How browser-layer defence catches this earlier

Antivirus catches the malware after the download. Browser-layer defence catches the page before the download starts. SafeBrowz scans every URL before render against a database of 550+ brands. A page loading the Chrome logo on a non-Google domain triggers an instant brand-impersonation flag, and SocGholish injection patterns (fingerprint-then-overlay) get caught by the content scanner. The free tier blocks fake Chrome, Edge, Firefox, and Safari update pages, fake codec downloads, and known SocGholish patterns. Install SafeBrowz for a second line of defence that fires before your eyes have to.

Frequently asked questions

Does Chrome ever ask me to update via a website?

No. Chrome's only legitimate update channel is the built-in updater at chrome://settings/help. The updater downloads patches in the background and prompts you to restart inside the browser UI, not on any webpage. If a website is telling you to update Chrome, that website is the threat.

The popup looked exactly like Chrome. How is that possible?

The popup is HTML, CSS, and JavaScript rendered inside your browser, which means anyone can reproduce the visual style of any Chrome UI element pixel-for-pixel. Visual similarity is not evidence of legitimacy. The address bar and the update channel (settings, not website) are the real tells.

I downloaded ChromeUpdate.exe but did not run it. Am I safe?

Almost certainly yes. A downloaded file does nothing until executed. Delete it from Downloads, empty the trash, and optionally run a Defender or Malwarebytes scan. No password changes needed if the file never ran.

I ran the file and SmartScreen warned me. I clicked through anyway.

Treat the machine as compromised. SmartScreen and Mac Gatekeeper are the last automatic line of defence; clicking through them with an info-stealer is the worst case. Follow the full recovery procedure above in the next hour.

How did SocGholish end up on a legitimate site I trust?

SocGholish operators compromise WordPress, Drupal, and Joomla sites at scale by exploiting outdated plugins or stolen admin credentials. The site owner is also a victim. Mandiant M-Trends 2024 and Cisco Talos both document SocGholish injections on legitimate news sites, recipe blogs, and small-business pages.

My phone got the same popup. Is mobile Chrome ever updated via APK?

No. Chrome on Android is updated exclusively through the Google Play Store. Any Android page offering a Chrome APK download is a banking trojan. Do not enable "Install from unknown sources." If you already installed the APK, uninstall immediately, run Google Play Protect, and assume any banking or wallet app on the device may have been keylogged.

Related reading

Bottom line: Chrome does not update from any webpage, full stop. The only legitimate channel is chrome://settings/help, and the only legitimate installer lives at google.com/chrome for first-time installs. Verify the version inside Chrome, delete any "ChromeUpdate" file in Downloads, and if you already ran it, disconnect and start recovery now.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge