Add-on Fake Malicious Extensions on Chrome Web Store!

Joined
Nov 5, 2011
Messages
4,223
#1
Fake Malicious Extensions on Chrome Web Store! Examples found! There were many of them, which are not cleaned by Store tenants for a long time!
Let's put our findings here and share our bad experiences.


Today I see "McAfee Endpoint Security Web Control" (I'm not sure ..) - "offered by McAfee Inc." (I'm not sure ..) - which has enormous "2,307,970 users" number! Updated: June 1, 2016 - so Chrome developers they had a long time to take it off from Store. Surely malicious, always read user comments before downloading:

'Blocks known good sites needed for work and kills browser performance, whats not to like?' :notworthy:

'All this did was add malware on my computer and made it run extremely slow.':notworthy:

'I wanted to uninstall this because it clogs up my search pages advertising itself. However, after adding it to Chrome Portable, this will not disable or uninstall! I even uninstalled Chrome and reinstalled it and this extension was still there. It also prevented me from re-installing the Lastpass extension. This made Chrome useless to me. So, I had to switched to the Opera browser. This acts just like a piece of malware.':notworthy:

'Causes chrome to hang for several minutes several times per day. Basically this is malware.':notworthy:

Etc etc etc comments ..


Let's put our findings here and share our bad experiences, thank you!
 
Last edited:

TechMech

New Member
Joined
Nov 4, 2017
Messages
2
OS
Windows 7
Antivirus
McAfee
#2
Fake Malicious Extensions on Chrome Web Store! There were many of them, which are not cleaned by Store tenants for a long time! Let's put our findings here and share our bad experiences.


Today I see "McAffee Endpoint Security Web Control" (I'm not sure ..) - "offered by McAfee Inc." (I'm not sure ..) - which has enormous "2,307,970 users" number! Updated: June 1, 2016 - so Chrome developers they had a long time to take it off from Store. Surely malicious, always read user comments before downloading:

'Blocks known good sites needed for work and kills browser performance, whats not to like?' :notworthy:

'All this did was add malware on my computer and made it run extremely slow.':notworthy:

'I wanted to uninstall this because it clogs up my search pages advertising itself. However, after adding it to Chrome Portable, this will not disable or uninstall! I even uninstalled Chrome and reinstalled it and this extension was still there. It also prevented me from re-installing the Lastpass extension. This made Chrome useless to me. So, I had to switched to the Opera browser. This acts just like a piece of malware.':notworthy:

'Causes chrome to hang for several minutes several times per day. Basically this is malware.':notworthy:

Etc etc etc comments ..


Let's put our findings here and share our bad experiences, thank you!
I am currently unable to identify a solution , and will need extra information; during such attacks I would manually trace the main cause , then I would delete the main source leading to it, extensions like these will mostly likely get deleted after you remove the backup and source, if your problem continues on re-occurring I recommend asking a person you may know with strong knowledge about such malware, If the problem proceeds I recommend you fix it at a computer workshop or tech support, or just back up softwares you'd like to keep on a flash drive then re-install your software
 

TairikuOkami

Level 13
Content Creator
Joined
May 13, 2017
Messages
624
OS
Windows 10
#5
McAfee Corporate KB - Endpoint Security Web Control browser extensions must be enabled by the end user KB87568
The article mentions "McAfee Endpoint Security Web Control 10.x" and this is indeed version 10.2, so I guess no fake?!

Those extensions/app work only when you have McAfee installed. I have just tried all 3 of them.
Considering, it is supposed to block webpages and advertise itself, it does, what it does.

McAfee Security Scan Plus is mostly a tool intended to sell McAfee programs.
McAfee SECURE Safe Browsing
 

Attachments

Last edited:
Joined
Nov 5, 2011
Messages
4,223
#6
McAfee Corporate KB - Endpoint Security Web Control browser extensions must be enabled by the end user KB87568
The article mentions "McAfee Endpoint Security Web Control 10.x" and this is indeed version 10.2, so I guess no fake?!

Those extensions/app work only when you have McAfee installed. I have just tried all 3 of them.
Considering, it is supposed to block webpages and advertise itself, it does, what it does.


McAfee SECURE Safe Browsing
OK not fake (- and this is worse!) - but: read comments on Chrome Web Store ...:mad:

"Those extensions/app work only when you have McAfee installed."
- but this is NOT mentionned on the Chrome Web Store, for "McAfee Endpoint Security Web Control" ...

Exactly, you're found this very meaning sentence in your link:

"McAfee Security Scan Plus is mostly a tool intended to sell McAfee programs."


So it is proof that they think to earn the money (mostly ..), not the trust of all of us. Thank you very much, TairikuOkami !



- hmm, this shows clearly, that I am in no way connected with McAfee company...?

Well, found another McAfee 'gem' on the Web Store: McAfee SiteAdvisor Enterprise ..Version: 3.5.0.1275, Updated: October 4, 2017 , 1,352,493 users

Only two comments (latest alerts ..) of users I copy here:

'Modified Oct 20, 2017
I have a couple websites that I use that are perfectly safe, I've used them before with no problems, and it keeps saying that it's safe, but I might want to be careful on said site. Oh, and i can't get rid of it either, it's a HUGE pain, NEVER GET THIS ADDON!!!! Also, on some pages the popup appears again...and again...and again.'

'Modified Oct 24, 2017
IT SUCKS!! it came installed by the school that gave me this laptop and i REALLY DONT KNOW WHY THEY WOULD INSTALL IT! it came installed by moderator which means i cant get rid of it UNLESS i hard restart but i dont want to. and it does a pop-up every time you use or click on any thing that are "unsafe"(youtube, netflix, crunchyroll, ect) and can be easily avoided by using ingonito or a pop-up blocker!! I WOULD GIVE THIS 00000000000000 STARS IF I COULD!!1!!1!!!!'


Give shame to McAfee on the Chrome Web Store.
 
Last edited by a moderator:
Joined
Nov 5, 2011
Messages
4,223
#8
Read the first page of my topic: "Chrome Adware Removal" extension block ransomware : Add-on - "Chrome Adware Removal" extension block ransomware

- cause interesting discussion about extensions security, from Windows_Security post #11 to the bottom of the page - you have too this link:
on kjaer.io article (nice photo, scroll down): Malware in the browser: how you might get hacked by a Chrome extension

Thank you, Windows_Security!


GOOD, very good right extension skyZIP™ (skyZIP™ Proxy) acceleration and compression Proxy: Home | nynex - professional satellite services right site!
Chrome Web Store URL: skyZIP™ Proxy
- so it's offered by nynex - from Germany - Version: 0.8.1 - Updated: May 11, 2015 - Size: 71.25KiB

BUT - on Chrome Web Store, you have too another extension with this same name 'skyZIP Proxy' - maybe fake, malware maybe - offered by kibosh...xyz, don't touch this one, you never know!
This same image ...Version: 1.0 - Updated: October 27, 2017 - Size: 74.37KiB - hmmm ... what is this similar extension?
User Reviews
All languages
No comments

WHY chrome developers - why they didn't delete this ...
 
Last edited by a moderator:
Joined
Sep 27, 2017
Messages
59
OS
Windows 7
Antivirus
Webroot
#9
Some extensions when discarded due to being developed into FF 57 compatibility must have got hijacked by others who put malicious codes in them. Its so hard to tell sometimes. Great research Prorootect!
 
Joined
Nov 5, 2011
Messages
4,223
#10
Uhhmmm the plot thickens Avira extension has same user interface as Symantec extension:cautious:

Avira Antivirus - Protector of Online Surfing

Security Guard by Symantec
Windows_Security - I downloaded to test (for some seconds ..) this Symantec extension: 'Security Guard by Symantec' (Updated: October 18, 2017) with ugly blue flat icon, then removed it.
But with the 'remove event' here, a New Tab page is created, with website:

hxxp://mitarchive.info/temp/survey.html?inst=NaN&id=bce

I look on my 'Sur.ly Surfguard' icon - there is a triangle with an exclamation mark on the icon and the icon pop-up text warns: "Unsafe: this website contains some kind of security threat or malware" .. McAfee (from 'Full report' button on the icon) spoke of 'mitarchive.info' page threat: 'Web Category: Search Engines' ...
I took a look at the page, it was empty because of my anti-script engines, hopefully! I just closed it, that's all.
So why Symantec are assisted by mitarchive.info?

Google about mitarchive.info: 'A description for this result is not available because of this site's robots.txt' - so not good I think.

Maybe threat, maybe no threat - but I prefer to have confidence in my 'Sur.ly Surfguard'.:)

__________________________

'Avira Antivirus - Protector of Online Surfing' ugly blue flat icon .. then pop-up from icon is with this same interface that from Symantec extension! - so this same inscription 'Protection is On' - and no Options, like in the other extension..
So I remove it - and in the New Tab page I see

hxxp://mitarchive.info/temp/survey.html?inst=NaN&id=fib


.. aaaa ..

- Cool, this cooperation between producers of delusions for poor web users.

... and why Symantec extension has Size: 649KiB, and Avira extension has Size: 1.63MiB ..
 
Last edited:
Joined
Sep 27, 2017
Messages
59
OS
Windows 7
Antivirus
Webroot
#11
Had a popup blocker installed few days ago for testing. It was kept deactivated but twice came active by itself when chrome starts & today found in the extension list that it may have been compromised written under it. During removal it opens some google feedback form, possibly phishing page.
 
Joined
Nov 5, 2011
Messages
4,223
#12
Ha - downloaded yesterday in Firefox: 'Popup Blocker for Firefox: Poper Blocker', and Pop-up Controller, seen nothing bad ..
- on chromium forks I have my ZenMate Web Firewall, anti-script extensions and Content-Aware Ad Blocker .. no other ad blockers, and never seen ads ..:)

If you search, on the Chrome Web Store search, for these three words: 'web shield protection' - you receive a plethora of fake or malicious extension results, many with this same start sentence (the name of extension change only):
"... helps provide quick, easy and convenient search results for every day needs."
Never user comments, none.

Why does Google allow this to happen - for pennies probably...
 
Last edited by a moderator:
Joined
Nov 11, 2017
Messages
58
#13
Someone at github has made a website where you can examine any Chrome extension unless its owner has asked for it to be taken off the list.

PS. From my own experience, I can say that they apparently don't care anymore about their own rules once an extension or update has been accepted. I once wrote an extension replacing broken images with their Wayback Machine versions. However, back then it used cookies to track whether to enable or disable the content script, so since the recent privacy policy change, it must have been violating it. After all, I foolishly did the same later trying to update it, causing it to be rejected (with me ending up removing the feature). Yet they hadn't done anything about the extension's last version that seemingly had the same problems for months.
 
Last edited:

shmu26

Level 60
Joined
Jul 3, 2015
Messages
4,973
OS
Windows 10
#15
Interesting article, from thehackernews.com: 8 More Chrome Extensions Hijacked to Target 4.8 Million Users : 8 More Chrome Extensions Hijacked to Target 4.8 Million Users

'Google's Chrome web browser Extensions are under attack with a series of developers being hacked...'

Still current, that kind of news.
This is getting to be a problem. Even if you choose your extensions carefully, they get hijacked by 3rd party actors.
Sounds to me like a big security hole.
 
Joined
Nov 5, 2011
Messages
4,223
#16
NEW (4) fresh fake extensions/apps on Chrome Web Store Today
offered by lomernixmzloa932:

youtube mp3 downloader for chrome
ESET Nod32 Antivirus
ComboFix (ancient this one...)
GoodSync

- developer of these fakes is well alive and is working in full daytime !...

- and google's response - where is't?

We have another thread about, look on Malware Analysis section:
Fake ESET NOD32 extension analysis (Google Chrome) : Malware Analysis - Fake ESET NOD32 extension analysis (Google Chrome)
 
Last edited:
Joined
Nov 5, 2011
Messages
4,223
#18
Some Chrome extensions/apps - Intruding, Deceptive, Problematic, users are disappointed... hijacking to Yahoo Search... with bad English in description...
- 'masquerading as trustworthy'...

If you search, on the Chrome Web Store search, for these three words: 'web shield protection':

Here you have Chrome Web Store extensions/apps of that kind, this same GUI, offered by different guy!


PC Protect Web Shield = Scanguard Web Shield = Total AV Web Shield

- with similar Home pages who are asking for login to your account!

Another set of that kind of 'this same GUI' - and 'this same icon' extensions/apps, changing your search settings to shielddefense.net or mystartshield.com:

MyStart Shield = Shield Defense = Secure MyWeb

Scam Block Plus extension is very suspicious.

Identity Guard Safe Browsing extension 'offers in-app purchases' and has very suspicious Home page addon.wsidg.com, beware! - what is this writing

Developers of fake extensions are well alive!

- you like this?
 
Last edited:

shmu26

Level 60
Joined
Jul 3, 2015
Messages
4,973
OS
Windows 10
#19
Some Chrome extensions/apps - Intruding, Deceptive, Problematic, users are disappointed... hijacking to Yahoo Search... with bad English in description...
- 'masquerading as trustworthy'...

Here you have Chrome Web Store extensions/apps of that kind, this same GUI, offered by different guy!


PC Protect Web Shield = Scanguard Web Shield = Total AV Web Shield

- with similar Home pages who are asking for login to your account!

Another set of that kind of 'this same GUI' an' this same icon' extensions/apps, changing your search settings to shielddefense.net or mystartshield.com:

MyStart Shield = Shield Defense = Secure MyWeb

Scam Block Plus extension is very suspicious.

- you like this?

Identity Guard Safe Browsing extension 'offers in-app purchases' and has very suspicious Home page addon.wsidg.com, beware! - what is this writing

Developers of fake extensions are well alive!

- you like this?
You should let Google know what a lousy job they are doing with vetting extensions.

Some of this stuff is absolutely inexcusable, such as false use of brand names like Kaspersky. I mean, if a extension is submitted by Joe Schmo, and it claims it is Kaspersky, how hard is that to detect??
 
Joined
Nov 5, 2011
Messages
4,223
#20
You should let Google know what a lousy job they are doing with vetting extensions.

Some of this stuff is absolutely inexcusable, such as false use of brand names like Kaspersky. I mean, if a extension is submitted by Joe Schmo, and it claims it is Kaspersky, how hard is that to detect??
I didn't know how to do it, maybe there on MT - or any other place! - would be someone who would be more informed than me, to notify Google, I hope so, I'm waiting!
 
Last edited: