While the malware was discovered on Google Drive, any cloud-share service such as iCloud, Dropbox, etc. could be vulnerable.
Proofpoint uncovered the vulnerability in Google Drive a portal for many useful G-centric apps. Unfortunately, the normal document-sharing capabilities built into Google Apps can be manipulated to support automatic malware downloads.
It works like this: After uploading malicious files or malware executables on Google Drive, bad actors could create a public link and share an arbitrary Google Doc as a lure to convince recipients to execute the malware once it has been downloaded. Proofpoint researchers also confirmed that it was possible to trigger exploits without user interaction.
These attacks come from legitimate sources and the links themselves contain no malware, making them very difficult to detect. Malicious use of built-in scripting capabilities in Software-as-a-service (SaaS) platforms flies under the radar of most users and defensive tools.
Google added specific restrictions on simple triggers to block phishing and malware distribution attempts that are executed opening a doc. Researchers pointed out that the situation shows that extensible SaaS platforms can be used to deliver malware to unsuspecting victims in even more powerful ways than Microsoft Office macros. As a result, users should always be wary of files automatically downloaded by cloud platforms and scan ANY file with antivirus.
“Software-as-a-service (SaaS) applications have become mainstays of modern business and consumer computing,” the firm said in a blog. “They are also quickly becoming the latest frontier of innovation for threat actors looking for new opportunities to distribute malware, steal credentials and more.”