Malware Analysis Fake ESET NOD32 extension analysis (Google Chrome)

[Prorootect]

What is really worrying is that Google is a reputable brand and average users might think it is all checked by the safest browser on earth. In the mean time Google distributed questionable software (extensions). I will ask Tavis to do something about it Kees

From ghacks.net: How to avoid fake Chrome extensions or apps - gHacks Tech News
User comments:
'Google Chrome Store is the biggest s..t in existence.
They don't seem to have any rules against spyware, malware, ads or anything. It's a disgrace.'

'Not just Ublock, type in adblock and there is a ton of extensions too.' ...

'Chrome's webstore is a cesspool, I had more than one Chrome extension that I was using mysteriously pulled from the store and permanently disabled on my computer and when you click on the former link to the store it just says the addon was either pulled by the author or it violated Google's policy which doesn't help. I sent one one the extensions collectively to the AV companies for analysis and I find out it that the reason that addon was pulled was b/c it was phoning home and injecting ads.
It doesn't help that it seems curating addons for browsers is a very low priority for AV companies, that should be the browser makers job anyways.'

- comments on April 26, 2016 - so nothing changed for now.

 

[Prorootect]

A Fake Adblock Plus Chrome Extension Racked Up 37,000 Downloads: on extremetech.com: A Fake Adblock Plus Chrome Extension Racked Up 37,000 Downloads - ExtremeTech

Adblock Plus is one of the most popular extensions for Chrome with more than 10 million users and 150,000 glowing reviews. However, a spammer was recently able to infiltrate the Chrome web store with a knockoff of Adblock Plus that didn’t trip Google’s security measures. This rogue extension racked up more than 37,000 installations in just a few days.
It should be troubling to Google and users of Chrome in general that this extension made it into the store. There are some obvious red flags here that should be easy to filter. For example, the app’s entire description is a long string of keywords intended to boost its presence in searches. The screenshots also don’t show anything related to the claimed functionality. At the same time, it looks just real enough that the average user could be fooled. It popped up in search results with the right icon and name, and even the developer name was “Adblock Plus.”
The functionality of the fake Adblock Plus appears to be showing more ads. That’s really the opposite of what people want when they install the real Adblock Plus. Reviews of the extension claimed that immediately after installing the fake, scores of tabs with autoplaying video ads began appearing. That’s a rather inelegant way of spamming people–it was apparent to users what caused the problem. The fake reviews stuffed in by the developer couldn’t cover up the scheme for long.
The Twitter account @SwiftOnSecurity tweeted about the phony extension, which got Google’s attention. Within a day, the extension had been removed from the Chrome web store. Google also offered a post-mortem of sorts to explain what happened.

Legitimate developers just have to sit back and watch as Google smears them with fake extensions that steal their good name pic.twitter.com/3Tnv4NtY9t
— SwiftOnSecurity (@SwiftOnSecurity) October 9, 2017

According to the Chromium team, they removed the fake extension from the store within minutes of confirming it as malware, and Google also remotely killed it on Chrome installations. The developer account was suspended as well. Upon closer examination, Google found several similar extensions that were blocked from the store by automated processes. This one just slipped through the cracks, but the Chromium devs have figured out why that happened and are preparing to implement a fix. The exact nature of that fix is not being revealed because doing so could help malware infiltrate the Chrome Web store in the future.
In the meantime, you should give Chrome extensions more than a cursory glance before installing them. It’s nice to know Google is responding to this incident, though."

 

[Deleted member 65228]

This one just slipped through the cracks, but the Chromium devs have figured out why that happened and are preparing to implement a fix.

Yet the fake ESET, Avira, Avast, Kaspersky, Bitdefender, Adobe Flash extensions (among many others) referenced in this thread managed to surpass it at ease, a majority (if not then all) of them on the same day under multiple profiles.

 

[lowdetection]

Good work Opcode

 

[giulia]

hi Opcode
amazing job ,really ,amazing job!
about bitdefender i found only trafficlight but it's legit
thank you!

 

[Prorootect]

EDIT (for my precedent Post #14):
Today's November 22, 2017 total counting of all digits: 28 fake apps... offered by those nicks in Post #14.
I have put the numbers of fake apps corresponding to the nicks in the post above directly.

 

[Tsiehshi]

Great investigation, Opcode. I hope more of them will be exposed, forcing Google to clean up their act at least a bit.

 

[Deleted member 65228]

@Tsiehshi I hope they clean up their act a bit more too. One of the fake Avast extensions has since been removed by them however a majority of the extension's are still present on the Chrome Web Store, which is worrying considering I reported them days ago (and I am sure many others would have helped in doing this also).

A lot of Home users trust Google despite privacy terms and will believe everything on the market on a Google store is safe and genuine. How very false this actually is in reality... As we can see.

 

[Danielx64]

Hmmm, now that we are looking at Chrome, it would be interesting to see if Firefox has the same issue. When I can buy some time I will do some hunting for Firefox and see if I can find anything.

 

[Prorootect]

From this article I posted:
"Upon closer examination, Google found several similar extensions that were blocked from the store by automated processes."

Oh my Red icon with question mark... where are they...
I remember (and I still have 1! haha!) the very good AdBlock extension - "AdBlock with bonus functionality", size 1.9 MB, Version 10.0.6 - which one had this very famous preview of results links ("Is it Safe?"). with 7 services like Google Advisory, WOT, Norton Safe Web, McAfee, Avast, Trustwave, DrWeb... which was removed recently from my Chrome browsers: "The extension AdBlock was automatically removed" - little window after start of browser... sh... t!
No more on Store.

Very unfair move, from this Google "automatism".

 

[JB007]

Thanks+++ @Opcode
Great report and analysis
Very useful

 

[ICTSERVICES]

Google has Project Zero, a great security team to discover zero-day threats, it is considered by experts one of the best around, nevertheless they are not immune to security issues, even on the Play store they have many problems:

Android malware with up to 17.4m downloads found lurking in 144 apps on Google Play

 

[Windows_Security]

For fun I contacted Tavis Ormandi true twitter , attended him to this ever continuning problem of malware in Google Aps Store and invited him to this thread, but no response

 

[Deleted member 65228]

@Windows_Security I doubt he will sign up, the guy is a Windows Internals expert and probably has a huge amount of work to do like exploiting win32k.sys hahaha

But it would be cool if he did. Thankfully the developer of MBR Filter joined the other day, hopefully he for one sticks around.