Researchers said 1 million user sessions could have been exposed to the campaign, which downloads the Shlayer trojan. Researchers said VeryMal s campaigns have so far been widespread, Mac-focused and stealthy to date. They have also been incorporating steganography as an obfuscation technique to hide the redirection code. Google has suspended the abused Firebase accounts, but the technique is probably not going away, researchers said. The group is using ad tags that fetch a payload from Google Firebase in order to redirect users to malicious pop-ups.
Source: https://threatpost.com/mac-focused-malvertising-campaign-abuses-google-firebase-dbs/143010/