Fake Malicious Extensions on Chrome Web Store!

Discussion in 'Browsers and Extensions' started by Prorootect, Nov 4, 2017.

  1. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    One way would be to get onto google product forum, and start making a fuss. Link us here to the thread over there, I would be happy to +1 you over there.
     
    Prorootect likes this.
  2. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #22 Prorootect, Nov 22, 2017
    Last edited: Nov 22, 2017
    It seems to me, it's quite probable, that google guys know this (and another) MT topic, and the problem on their Chrome Web Store. Don't be naive: somewhere google must win something, if it prolongs this situation (bad for us all ordinary users).
    I think, that google has the interest to have the bad guys in its web store... I think, Sorry, I don't want to offend anyone!
    It's horrible, but this world is bad, it's looking for money and...

    - There are surely some people here on MT who know google people with influence... Let them manifest here then, to satisfy us all. I'm sure.
    Hello, Tavis Ormandy!

    Link about: Fake ESET NOD32 extension analysis (Google Chrome) - read from post #17 to the bottom...
     
    harlan4096 and shmu26 like this.
  3. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    #23 shmu26, Nov 22, 2017
    Last edited: Nov 22, 2017
    I don't know if it is quite as nefarious as you are implying, rather that it will cost Google some money to properly vet the extensions, and if they reject certain extensions it might be bad for popularity (like what just happened with Firefox Quantum).
    But the party is over. No one is going trust Chrome Store again, if they don't clean up their act.
     
    Weebarra, Prorootect and harlan4096 like this.
  4. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #24 Prorootect, Nov 22, 2017
    Last edited: Nov 22, 2017
    shmu26 wrote:

    '...the party is over.' so 'No one is going trust Chrome Store again, if they don't clean up their act.'

    I think so!


    PS. Search like me the bad extensions on Chrome Web Store and put them here (descriptions of course). Thanks!
     
    Weebarra and shmu26 like this.
  5. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    I noticed this thread earlier today, I am not sure why I didn't notice it beforehand. I started investigating the extensions after another member (an Italian female member I believe) asked about a few extensions which were placed on the Google Chrome Web Store. You were already onto it all I believe? (the same authors/extensions)?

    Really good work @Prorootect. Despite the thread I made, I am going to go ahead and say that I believe you were the first member here to notice what was going on to the extent and post a thread about it, you deserve more views for this. You've been checking up on it on a daily basis and continuing to find more and more, too.

    Google should provide you with an award. :)
     
  6. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    Ok., thank you very much, Opcode!

    You have won a prize: chrome extension called High contrast! (I like it, and use on high contrast position only, already!).
    Yes, cause you latest posting highlighted things with a great view!
    It would have been honest of google to make me pay my great commitment to get them out of this quagmire, swamp, in which they are at the moment, cause some bad guys.

    You too, you are invited to share here your new discoveries from web store, share them with us here!

    Your prize, High Contrast extension, on Chrome Web Store(safe!): High Contrast
     
    harlan4096, Opcode and shmu26 like this.
  7. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    On Chrome Web Store, if you search for: 'is the best tool to browse the Internet safely and quickly.'
    - then you are found, that suspicious extensions are copied from 'Panda Safe Web' extension - GUI, and description text.
    These are: Shield Defense, MyStart Shield, Secure MyWeb.
    Look too on Post #18 in this thread, please.
     
  8. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    #28 Opcode, Nov 23, 2017
    Last edited: Nov 23, 2017
    @Prorootect
    Not to mention the MyStart service promotes advertisements and relies on Yahoo...
     
  9. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    Have you seen, that this panda has 879,142 users

    why google why
     
    Weebarra, harlan4096 and Opcode like this.
  10. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    I don't know much about Panda and their extensions... I found the MyStart one which has 879,142 users the other day but was unsure after dynamic testing under an analysis environment. I cannot find any information on the official Panda Security website regarding it, and the author linking to the MyStart indicates to me that it isn't genuine, however there are almost a million users.

    Do you know if it is genuine or fake? It looks fake but you never know... Even the English for the description is "off" which is another indicator that it could be fake.
     
  11. upnorth

    upnorth Level 11

    Jul 27, 2015
    518
    2,750
    Sweden
    Panda Security Forum - View topic - Safe Web
    One of many issues they have and too many reviews elsewhere are poor at best so naaa thanks Panda but no thanks. Personal I dislike alot all so called " Toolbars " as many sites alone arent already filled up enough with annoying advertisement.

    The Hybrid-Analysis and also the VirusTotal test on the windows version was interesting to read. Cheeky behavior to even ask people pay $34.99 especially when it comes with that kind of crap.
     
  12. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    @upnorth That is absolutely unreasonable and inexcusable!


    In my opinion that is unethical and makes me think that they cannot be trusted, despite being popular/well-known. I think the only reason they escalated it to a Private Message was due to embarrassment and not wanting to appear foolish on the forum for such a ridiculous scenario being reported - which is unhelpful for others who may view the thread looking for answers under the same circumstances as the original poster (and there must be more than one person in which that has happened to with the hijacked search provider because it is commonly noted on the Reviews).

    Edit: Accord to Google Chrome, the website is allegedly insecure - probably a certificate-related problem I'd imagine though.
     
    Weebarra, Prorootect and upnorth like this.
  13. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #33 Prorootect, Nov 23, 2017
    Last edited: Nov 23, 2017
    I have found recent underground activity on Chrome Web Store, by mystart.com:
    - speciality: wallpapers above all.. search on store: 'mystart'!
    So: MyStart Shield, MyStart Search New Tab, MyStart Space, MyStart Kereso, Mystart.io, and 27 wallpapers extensions, all enregistered by Google on November and October, 2017. Many 'Updated: October 11, 2017' but 3 latest updated November 2 or November 16, 2017...

    So Google has made a lot of money, much more than from another developers with one or two extensions, 32 times more than from developer of single extension.

    'Chrome Web Store' is a very successful business.
    This is reality. A sad reality.
     
  14. upnorth

    upnorth Level 11

    Jul 27, 2015
    518
    2,750
    Sweden
    #34 upnorth, Nov 23, 2017
    Last edited: Nov 23, 2017
    [​IMG]
     
  15. Weebarra

    Weebarra Level 7

    Apr 5, 2017
    338
    8,380
    Somewhere in Scottieland
    Windows 7
    Kaspersky
    This is getting very interesting. Bad Panda ....[​IMG]
     
  16. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    They've been flagged for years according to the source of a friend of mine who I asked about the Panda Safe Web extension the other day - I thought it was a fake extension at first with almost a million users before even testing it out properly and even started writing a whole analysis thread. Once I reached the point of adding static and dynamic analysis explanations, I then realised it really was genuine and not rogue and I was completely poker-faced. Even the English on the extension description doesn't add up right, and the author linking to a custom MyStart search engine page is extremely unethical IMO due to the background the service has surrounding browser hijacking among previous and known malicious software (e.g. Adware).

    I was a fool for not investigating further before spending time on a write-up which turned out to need to be deleted and never posted, but can you really blame me? Now another member above has posted a VirusTotal report for another component belonging to software of theirs, and that is... Well, self-explanatory in itself really.

    I hope Panda Security clean-up their act because I'd like to think good of them, but it is behavior which I feel uncomfortable with surrounding generation of income (do they really need to do these things? Why can't they just make revenue from hard-working developed software) such as the PUPs/bundling and what-not...
     
  17. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,085
    4,347
    Fortinet Engineer
    USA
    Other OS
    My on-prem Sandboxing Appliance started flagging Panda junk as riskware about a month or two ago. I've learned to pay CLOSE attention when my Sandbox Appliance 'wakes up' on something, it saved me from the Ccleaner fiasco. Recently, it's awakened on a couple of products and I simply won't recognize it as FP's because the device is exceedingly good at avoiding FP's. The 50 page dump on Panda stuff is 'interesting', but I can't share it here, just a snippet.

    [​IMG]
     
  18. Weebarra

    Weebarra Level 7

    Apr 5, 2017
    338
    8,380
    Somewhere in Scottieland
    Windows 7
    Kaspersky
    It's the not so clever people like me who will get caught out with something like this as i wouldn't know how to check for pups etc until they are already there, yes i could uncheck the box regarding changing the browser but in this case, it simply wouldn't have worked. As you say @Opcode, it is unethical and Panda aren't exactly minnows in the security field (although i think it more of the average home user who uses it) so they should be doing better with their product and not forcing unwanted changes on people. Another product to dismiss in my book and it's all thanks to you guys here for posting and investigating these things. (y)
     
    upnorth, mlnevese, Opcode and 2 others like this.
  19. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #39 Prorootect, Nov 24, 2017
    Last edited: Nov 24, 2017
    Searching on google for 'panda security problems' found some interesting topic titles on the first page already:
    How to solve issues with Panda antivirus after installing - Panda Security
    Known Issues - Panda Security Mediacenter
    Buggy Panda Update Causes Problems for Home, Enterprise Users ...
    Panda AntiVirus update likely to brick Windows Systems on restart
    PC Hell: How to Uninstall Panda Antivirus
    Panda antivirus labels itself as malware, then borks EVERYTHING ...
    etc etc


    I'm falling today on some other odd/sneaky/strange extensions.
    Searching in Chrome Web Store for 'panda security', found only:
    Best Online Shopping Deals Site, Best Chrome Downloader, and two Ultra VPN - Unlimited Free VPN, latest three signed by Chrome ... all four have long long spammed description.
    First VPN ext. has Version: 1.2 Updated: November 9, 2017 Size: 14.1KiB 9,521 users, then other VPN ext. has Version: 1.2 Updated: November 23, 2017 Size: 13.41KiB 0 users, still warm hot.
    All fake surely..

    Giant on clay legs: where you go to the Chrome Web Store, you fall between the creatures of swamp... as if you were putting a stick in the anthill... they are coming in. They wished us to think that everything is OK, that it's safe - this is called manipulation.
    It's like in life around us... so beware!
     
    upnorth likes this.
  20. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #40 Prorootect, Nov 24, 2017
    Last edited: Nov 24, 2017
    ... and:
    Help me to judge: is this extension legit or fake: RAM light: RAM light
    Version: 0.1.2 Updated: November 20, 2017 Size: 19.57KiB
    Yes, fresh extension (uploaded 4 days ago), offered by hektr992 - he has an email account ... 1 user...
    'RAM light' it's NOT found on google search Today.
    His another extension called 'Blocksite' is found on google search, but not this one...

    - thank you in advance...

    PS.
    To lower the CPU heating, use 'Reader View' extension..
    - cause this green 'onlineMarker pulse' periodic pulsations from 'Tooltip onlineMarker' on avatars is very annoying to my PC fan, and me.
    This problem have on 'MalwareTips 6102' style theme, and 'MalwareTips Dark 6102' too.
    - gif animations...
     
    upnorth likes this.
Loading...