Cybersecurity researchers have uncovered a campaign called Operation FlutterBridge, in which criminals are running fake ads on Google and YouTube to push malicious apps to macOS users. Once installed, the apps secretly run a backdoor called FlutterShell that can execute commands on your computer, browse your files, steal environment variables, and silently redirect your Chrome browser through ad networks the attackers control.
The fake apps — named PodcastsLounge, PDF-Brain, and PDF-Ninja — look like legitimate productivity tools and even pass Apple’s own notarization checks because the attackers registered real Apple Developer accounts. Researchers traced the campaign to shell companies linked to Ukrainian individuals, though the group behind it has been active since at least 2023. Users in the United States, Canada, Australia, France, and Germany are the main targets.
How to check if you’re affected
Affected devices are any Mac computers running macOS where you downloaded a productivity app recently via a Google or YouTube ad. Check your Applications folder for these three app names: PodcastsLounge, PDF-Brain, or PDF-Ninja. If any are present, delete them immediately and run a reputable macOS security scanner such as Malwarebytes for Mac.
Going forward, avoid downloading software directly from ads — always go to the official developer website instead, or install apps from the Mac App Store where possible.