Malware Analysis Fake ESET NOD32 extension analysis (Google Chrome)

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
Nov 5, 2011
4,177
6,287
#21
What is really worrying is that Google is a reputable brand and average users might think it is all checked by the safest browser on earth. In the mean time Google distributed questionable software (extensions). I will ask Tavis to do something about it ;) Kees
From ghacks.net: How to avoid fake Chrome extensions or apps - gHacks Tech News
User comments:
'Google Chrome Store is the biggest s..t in existence.
They don't seem to have any rules against spyware, malware, ads or anything. It's a disgrace.'

'Not just Ublock, type in adblock and there is a ton of extensions too.' ...

'Chrome's webstore is a cesspool, I had more than one Chrome extension that I was using mysteriously pulled from the store and permanently disabled on my computer and when you click on the former link to the store it just says the addon was either pulled by the author or it violated Google's policy which doesn't help. I sent one one the extensions collectively to the AV companies for analysis and I find out it that the reason that addon was pulled was b/c it was phoning home and injecting ads.
It doesn't help that it seems curating addons for browsers is a very low priority for AV companies, that should be the browser makers job anyways.'

- comments on April 26, 2016 - so nothing changed for now.
 
Nov 5, 2011
4,177
6,287
#22
A Fake Adblock Plus Chrome Extension Racked Up 37,000 Downloads: on extremetech.com: A Fake Adblock Plus Chrome Extension Racked Up 37,000 Downloads - ExtremeTech


Adblock Plus is one of the most popular extensions for Chrome with more than 10 million users and 150,000 glowing reviews. However, a spammer was recently able to infiltrate the Chrome web store with a knockoff of Adblock Plus that didn’t trip Google’s security measures. This rogue extension racked up more than 37,000 installations in just a few days.
It should be troubling to Google and users of Chrome in general that this extension made it into the store. There are some obvious red flags here that should be easy to filter. For example, the app’s entire description is a long string of keywords intended to boost its presence in searches. The screenshots also don’t show anything related to the claimed functionality. At the same time, it looks just real enough that the average user could be fooled. It popped up in search results with the right icon and name, and even the developer name was “Adblock Plus.”
The functionality of the fake Adblock Plus appears to be showing more ads. That’s really the
opposite of what people want when they install the real Adblock Plus. Reviews of the extension claimed that immediately after installing the fake, scores of tabs with autoplaying video ads began appearing. That’s a rather inelegant way of spamming people–it was apparent to users what caused the problem. The fake reviews stuffed in by the developer couldn’t cover up the scheme for long.
The Twitter account @SwiftOnSecurity tweeted about the phony extension, which got Google’s attention. Within a day, the extension had been removed from the Chrome web store. Google also offered a post-mortem of sorts to explain what happened.

Legitimate developers just have to sit back and watch as Google smears them with fake extensions that steal their good name pic.twitter.com/3Tnv4NtY9t
— SwiftOnSecurity (@SwiftOnSecurity)
October 9, 2017

According to the Chromium team, they removed the fake extension from the store within minutes of confirming it as malware, and Google also remotely killed it on Chrome installations. The developer account was suspended as well. Upon closer examination, Google found several similar extensions that were blocked from the store by automated processes. This one just slipped through the cracks, but the Chromium devs have figured out why that happened and are preparing to implement a fix. The exact nature of that fix is not being revealed because doing so could help malware infiltrate the Chrome Web store in the future.
In the meantime, you should give Chrome extensions more than a cursory glance before installing them. It’s nice to know Google is responding to this incident, though."
 

Opcode

Level 26
Content Creator
Aug 17, 2017
1,577
9,557
#23
This one just slipped through the cracks, but the Chromium devs have figured out why that happened and are preparing to implement a fix.
Yet the fake ESET, Avira, Avast, Kaspersky, Bitdefender, Adobe Flash extensions (among many others) referenced in this thread managed to surpass it at ease, a majority (if not then all) of them on the same day under multiple profiles.

:unsure::rolleyes:
 

Opcode

Level 26
Content Creator
Aug 17, 2017
1,577
9,557
#28
@Tsiehshi I hope they clean up their act a bit more too. One of the fake Avast extensions has since been removed by them however a majority of the extension's are still present on the Chrome Web Store, which is worrying considering I reported them days ago (and I am sure many others would have helped in doing this also).

A lot of Home users trust Google despite privacy terms and will believe everything on the market on a Google store is safe and genuine. How very false this actually is in reality... As we can see.
 
Nov 5, 2011
4,177
6,287
#30
From this article I posted:
"Upon closer examination, Google found several similar extensions that were blocked from the store by automated processes."

Oh my Red icon with question mark... where are they...
I remember (and I still have 1! haha!) the very good AdBlock extension - "AdBlock with bonus functionality", size 1.9 MB, Version 10.0.6 - which one had this very famous preview of results links ("Is it Safe?"). with 7 services like Google Advisory, WOT, Norton Safe Web, McAfee, Avast, Trustwave, DrWeb... which was removed recently from my Chrome browsers: "The extension AdBlock was automatically removed" - little window after start of browser... sh... t!
No more on Store.

Very unfair move, from this Google "automatism".
 
Aug 12, 2017
14
48
Operating System
Windows 7
Installed Antivirus
ESET
#32

Opcode

Level 26
Content Creator
Aug 17, 2017
1,577
9,557
#34
@Windows_Security I doubt he will sign up, the guy is a Windows Internals expert and probably has a huge amount of work to do like exploiting win32k.sys hahaha

But it would be cool if he did. Thankfully the developer of MBR Filter joined the other day, hopefully he for one sticks around. :)