Malware Analysis Fake ESET NOD32 extension analysis (Google Chrome)

Discussion in 'Malware Analysis' started by Opcode, Nov 20, 2017.

  1. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    0wN3D by my cat!
    From How to avoid fake Chrome extensions or apps - gHacks Tech News
    User comments:
    'Google Chrome Store is the biggest s..t in existence.
    They don't seem to have any rules against spyware, malware, ads or anything. It's a disgrace.'

    'Not just Ublock, type in adblock and there is a ton of extensions too.' ...

    'Chrome's webstore is a cesspool, I had more than one Chrome extension that I was using mysteriously pulled from the store and permanently disabled on my computer and when you click on the former link to the store it just says the addon was either pulled by the author or it violated Google's policy which doesn't help. I sent one one the extensions collectively to the AV companies for analysis and I find out it that the reason that addon was pulled was b/c it was phoning home and injecting ads.
    It doesn't help that it seems curating addons for browsers is a very low priority for AV companies, that should be the browser makers job anyways.'

    - comments on April 26, 2016 - so nothing changed for now.
    AtlBo, JB007, XhenEd and 6 others like this.
  2. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    0wN3D by my cat!
    A Fake Adblock Plus Chrome Extension Racked Up 37,000 Downloads: on A Fake Adblock Plus Chrome Extension Racked Up 37,000 Downloads - ExtremeTech

    Adblock Plus is one of the most popular extensions for Chrome with more than 10 million users and 150,000 glowing reviews. However, a spammer was recently able to infiltrate the Chrome web store with a knockoff of Adblock Plus that didn’t trip Google’s security measures. This rogue extension racked up more than 37,000 installations in just a few days.
    It should be troubling to Google and users of Chrome in general that this extension made it into the store. There are some obvious red flags here that should be easy to filter. For example, the app’s entire description is a long string of keywords intended to boost its presence in searches. The screenshots also don’t show anything related to the claimed functionality. At the same time, it looks just real enough that the average user could be fooled. It popped up in search results with the right icon and name, and even the developer name was “Adblock Plus.”
    The functionality of the fake Adblock Plus appears to be showing more ads. That’s really the
    opposite of what people want when they install the real Adblock Plus. Reviews of the extension claimed that immediately after installing the fake, scores of tabs with autoplaying video ads began appearing. That’s a rather inelegant way of spamming people–it was apparent to users what caused the problem. The fake reviews stuffed in by the developer couldn’t cover up the scheme for long.
    The Twitter account @SwiftOnSecurity tweeted about the phony extension, which got Google’s attention. Within a day, the extension had been removed from the Chrome web store. Google also offered a post-mortem of sorts to explain what happened.

    Legitimate developers just have to sit back and watch as Google smears them with fake extensions that steal their good name
    — SwiftOnSecurity (@SwiftOnSecurity)
    October 9, 2017

    According to the Chromium team, they removed the fake extension from the store within minutes of confirming it as malware, and Google also remotely killed it on Chrome installations. The developer account was suspended as well. Upon closer examination, Google found several similar extensions that were blocked from the store by automated processes. This one just slipped through the cracks, but the Chromium devs have figured out why that happened and are preparing to implement a fix. The exact nature of that fix is not being revealed because doing so could help malware infiltrate the Chrome Web store in the future.
    In the meantime, you should give Chrome extensions more than a cursory glance before installing them. It’s nice to know Google is responding to this incident, though."
    AtlBo, JB007, XhenEd and 6 others like this.
  3. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    Windows 10
    Yet the fake ESET, Avira, Avast, Kaspersky, Bitdefender, Adobe Flash extensions (among many others) referenced in this thread managed to surpass it at ease, a majority (if not then all) of them on the same day under multiple profiles.

    AtlBo, JB007, Tsiehshi and 7 others like this.
  4. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    Good work Opcode (y)
    AtlBo, JB007, Tsiehshi and 6 others like this.
  5. giulia

    giulia Level 4

    Nov 30, 2016
    hi Opcode
    amazing job ,really ,amazing job!
    about bitdefender i found only trafficlight but it's legit
    thank you!
    AtlBo, JB007, Weebarra and 5 others like this.
  6. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    0wN3D by my cat!
    #26 Prorootect, Nov 22, 2017
    Last edited: Nov 22, 2017
    EDIT (for my precedent Post #14):
    Today's November 22, 2017 total counting of all digits: 28 fake apps... offered by those nicks in Post #14.
    I have put the numbers of fake apps corresponding to the nicks in the post above directly.
    JB007, Opcode, Weebarra and 1 other person like this.
  7. Tsiehshi

    Tsiehshi Level 1

    Nov 11, 2017
    Great investigation, Opcode. I hope more of them will be exposed, forcing Google to clean up their act at least a bit.
  8. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    Windows 10
    @Tsiehshi I hope they clean up their act a bit more too. One of the fake Avast extensions has since been removed by them however a majority of the extension's are still present on the Chrome Web Store, which is worrying considering I reported them days ago (and I am sure many others would have helped in doing this also).

    A lot of Home users trust Google despite privacy terms and will believe everything on the market on a Google store is safe and genuine. How very false this actually is in reality... As we can see.
    AtlBo, JB007, Prorootect and 2 others like this.
  9. Danielx64

    Danielx64 Level 8

    Mar 24, 2017
    Windows 10
    Hmmm, now that we are looking at Chrome, it would be interesting to see if Firefox has the same issue. When I can buy some time I will do some hunting for Firefox and see if I can find anything.
  10. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    0wN3D by my cat!
    From this article I posted:
    "Upon closer examination, Google found several similar extensions that were blocked from the store by automated processes."

    Oh my Red icon with question mark... where are they...
    I remember (and I still have 1! haha!) the very good AdBlock extension - "AdBlock with bonus functionality", size 1.9 MB, Version 10.0.6 - which one had this very famous preview of results links ("Is it Safe?"). with 7 services like Google Advisory, WOT, Norton Safe Web, McAfee, Avast, Trustwave, DrWeb... which was removed recently from my Chrome browsers: "The extension AdBlock was automatically removed" - little window after start of browser... sh... t!
    No more on Store.

    Very unfair move, from this Google "automatism".
    Tsiehshi, AtlBo, JB007 and 1 other person like this.
  11. JB007

    JB007 Level 10

    May 19, 2016
    Windows 10
    Thanks+++ @Opcode (y)
    Great report and analysis(y)
    Very useful:)
    AtlBo and Opcode like this.


    Aug 12, 2017
    IT advisor
    Windows 7
  13. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    Windows 7
    For fun I contacted Tavis Ormandi true twitter :sneaky:, attended him to this ever continuning problem of malware in Google Aps Store and invited him to this thread, but no response :(
  14. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    Windows 10
    @Windows_Security I doubt he will sign up, the guy is a Windows Internals expert and probably has a huge amount of work to do like exploiting win32k.sys hahaha

    But it would be cool if he did. Thankfully the developer of MBR Filter joined the other day, hopefully he for one sticks around. :)
Similar Threads Forum Date
ESET: more than 50 fake-app on the Play Store! News Archive Aug 12, 2015
Fake Windows Process Manager Malware Removal Assistance For Windows Monday at 7:58 PM
Fake Spectre and Meltdown patch pushes Smoke Loader malware Security News Saturday at 11:27 AM