Fake Malicious Extensions on Chrome Web Store!

Discussion in 'Browsers and Extensions' started by Prorootect, Nov 4, 2017.

  1. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    I did some checks for you.

    Code:
    "permissions": [
        "tabs",
        "system.memory",
        "storage",
        "alarms"
      ]
    
    We can see from the above that it does actually have the potential to access memory information and the such.

    Code:
    "background": {
        "scripts":["js/background.js"],
        "persistent": true
      }
    
    Now we know that background.js will be executing 24/7 in the background for the extension, so let's take a quick peek.

    Code:
    function getMemory(callback) {
      
        chrome.system.memory.getInfo( function(info) {
          
            var freeGb = (info.availableCapacity / 1073741824).toFixed(1);
            var freePercent = (info.availableCapacity * 100 / info.capacity).toFixed(1);
            var totalGb = (info.capacity / 1073741824).toFixed(1);
          
            callback(freeGb, freePercent, totalGb);
        });
    };
    
    I did go through more within that JavaScript document however I simply do not know enough about how freeing memory the way it is supposed to should be working, but so far it looks genuine. I did although notice something interesting within another JavaScript document belonging to the extension, with the file-name "options.js".

    Code:
    var _gaq = _gaq || [];
    _gaq.push(['_setAccount', _AnalyticsCode]);
    _gaq.push(['_trackPageview']);
    (function() {
      var ga = document.createElement('script');
      ga.type = 'text/javascript';
      ga.async = true;
      ga.src = 'https://ssl.google-analytics.com/ga.js';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(ga, s);
    })();
    
    I left out the actual analytics ID code for potential security reasons however it seems that there is tracking potential within the extension related to Google Analytics. Recently, there has been an outbreak of drama surrounding websites and tracking, and news surfacing about good web browser projects such as Brave or updates to Mozilla Firefox to help fight these things by default (Firefox now use some features from the Tor browser code-base which was a privacy-intuitive browser connecting through the Tor network based on the Firefox browser (UI and Gecko engine)).

    I do not know if the extension can be trusted, although my verdict is clean because it does appear to do genuine things and I cannot see something which is actually malicious (just suspicious to my eye due to lack of understanding). I personally would not trust it though... The author isn't "reputable" in my eyes, so stay cautious and be careful if you decide to go ahead and use it mate.
     
  2. upnorth

    upnorth Level 11

    Jul 27, 2015
    518
    2,750
    Sweden
    #42 upnorth, Nov 24, 2017
    Last edited: Nov 24, 2017
    Made by a possible new independent developer and they all must start somewhere ofcourse but he/she needs to learn something from it...hopefully! Not even a homepage of any kind to point the more curious users/guests to is not gonna cut it and is a big No No IMO as it show this developer isn't serious and interested in any genuine feedback etc. Sure anybody can use the support tab in the webstore but that ain't enough IMO and especially when your new in the field and want to try show yourself and what you actually can do. You can code a software/extension/app but you can't even create a plain/simple homepage of any sort not even on a common blog...ok sure. Also the contact email address itself could instead have been something like " RAMLight at gmail.com " if available ofcourse or something similar atleast but the developer clearly made the choice to use " hktr992 ".

    [​IMG]

    Personal...wouldn't even take the time to try it. Thank's Prorootect for the share and thank's Opcode for the deeper test! (y)
     
    Prorootect, harlan4096 and Opcode like this.
  3. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #43 Prorootect, Nov 24, 2017
    Last edited: Nov 24, 2017
    Im very impressed by quality of your test, thank you Opcode!
    It's tempting for me, this extension, but I want for now stay cautious and don't download it, also considering your comment at the end... thank you very much!
    Very advanced for me your screenshots, could you tell me, how I could do the same, is there an extension maybe to deconstruct javascript in software or extensions ...?
    - or online tool?

    - I'm interested to lower the CPU heating, cause green 'onlineMarker pulse' periodic pulsations from 'Tooltip onlineMarker' on avatars, use MalwareTips 6102 style. - so to stop .gif periodic animations.
     
    upnorth, Opcode and harlan4096 like this.
  4. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    Q&A - chrome extensions are really tested and secure? like kaspersky privacy guard and avira protector ?

    There are however extensions available which can be used to view the source code of other extensions, instead of unpacking the CRX and analysing it through that. I've never used such extensions though therefore I am not sure which one would be best for this. You'll also need to study HTML, JSON and JavaScript.

    About the CPU thing, I cannot comment on that at all. I did see your post about the forum avatar in the questions area this morning but didn't reply because I don't understand properly, I don't know about that topic with specific avatars/colours causing CPU load... But I hope you manage to solve your problem mate.
     
    upnorth, Prorootect and harlan4096 like this.
  5. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #45 Prorootect, Nov 24, 2017
    Last edited: Nov 24, 2017
    Opcode, all avatars of people logged in MalwareTips website have a green dot on avatars, that marks their logging on the website, which pulsates every 2 seconds for those members, who have chosen this precedent style/theme for MalwareTips pages (Style Chooser is at the bottom of the page, left)....but you know this, of course.

    _____________
    Thanks for your link, I didn't fully read this thread...

    On Chrome Web Store, I found eg. <view source> : <view-source>
    - and Feditor: Feditor - by this same developer
    - but it would take for me to be the connoisseur, so I give up that idea.
     
    upnorth likes this.
  6. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #46 Prorootect, Nov 24, 2017
    Last edited: Nov 24, 2017
    Upnorth, Thank you for this lively and detailed criticism of the behavior of some developers, I fully agree.
    I appreciate the very telling photo.
    - haha sorry for my English problems!
     
    upnorth likes this.
  7. Tsiehshi

    Tsiehshi Level 1

    Nov 11, 2017
    43
    118
    Somewhere
    #47 Tsiehshi, Nov 24, 2017
    Last edited: Nov 24, 2017
    You can also examine almost any extension on this website without having to install or even download anything. Unfortunately the last update was on October 30.

    TBF to this extension itself, it looks pretty harmless even though for the wrong reasons, just calculating the amount of free and used memory instead of magically "freeing" memory (basically using "free" as an adjective rather than a verb).
     
    Prorootect likes this.
  8. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #48 Prorootect, Nov 25, 2017
    Last edited: Nov 25, 2017
    Thank you Tsiehshi for your link and explanations!
    - How do you examine the extensions, please?
    - from right click/'Inspect popup' of extensions with Developer tools (Chrome) is not sufficient?
     
  9. Tsiehshi

    Tsiehshi Level 1

    Nov 11, 2017
    43
    118
    Somewhere
    #49 Tsiehshi, Nov 25, 2017
    Last edited: Nov 25, 2017
    You find the extension and open the "view source" link for the latest version. In the new page, all its files will be listed in the sidebar on the left. You can click on any file on the list to view it. However, despite the site's usefulness, there's no search function helping find a particular extension. You can still work around it though:

    - Just do your search on Chrome Webstore and find the extension. Notice the ID (that long part made up of only letters after the last slash mark in the URL).
    - Then go to crx.dam.io/ext/[ID].html, which is the extension's page.
    - Click on the "view source" link for the latest version.

    Now you can study the extension. Preferably start from manifest.json as it's the most critical file in the extension, and some of the permissions and overrides specified in it can be a blatant red flag. For example, Panda Safe Web has these permissions:

    Code:
        "permissions": [
            "chrome://favicon/",
            "webNavigation",
            "storage",
            "cookies",
            "http://*/*",
            "https://*/*",
            "tabs",
            "webRequest",
            "webRequestBlocking",
            "unlimitedStorage"
        ],
    It can check and modify your tabs, browsing, web requests, cookies and store data. That's a lot, but it's not necessarily harmful or even superfluous. It depends on how these permissions are used. That said, there's no reason why it should need to change the default favicon other than pointless eyecandy.

    Worse, it overrides a few default browser settings, acting not unlike a browser hijacker:

    Code:
        "chrome_settings_overrides": {
            "search_provider": {
                "name": "Panda Safe Web",
                "keyword": "safeWeb",
                "favicon_url": "https://pandasecurity.mystart.com/panda.ico",
                "encoding": "UTF-8",
                "is_default": true,
                "search_url": "https://pandasecurity.mystart.com/results.php?pr=vmn&id=pandasafeweb&v=1_0_chromeextension_unknown__&searchfeed=web&hsimp=yhs-panda1&ent=ch_ss&q={searchTerms}"
            }
        },
    It changes your default home page to hxxps://pandasecurity.mystart.com, which uses Yahoo's search engine.

    It's not, because extensions can work even without an HTML page and scripts can run independently from it even if there's one.
     
  10. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #50 Prorootect, Nov 26, 2017
    Last edited: Nov 26, 2017
    Thank you very much Tsiehshi for your wonderful professional posting - never seen quality of detailed explanations! (Post #49)
    - for now I don't have the opportunity to answer you in more details, but I want to post for you later on, sorry....

    What you think about this Chrome extension: Chrome extension source viewer: Chrome extension source viewer

    .. and CRX Inspector: CRX Inspector
    CRX Inspector lets you view the files inside Chrome extensions, apps and themes. With it, developers can easily search through an extension's source code to see how an interesting feature was implemented, and security-conscious users can check extensions for malicious code before installing them.
    Very promising, I think. 5,075 users
    ... and what happens with this ContentBlockHelper latest version?
    See you later!
     
    upnorth and harlan4096 like this.
  11. Tsiehshi

    Tsiehshi Level 1

    Nov 11, 2017
    43
    118
    Somewhere
    Both inspectors are fine, and even have their own github page, but the latter is a lot more stripped-down (it doesn't work on Firefox add-ons though unlike the former).

    As for ContentBlockHelper, that error doesn't occur while you're actually browsing the web, so nothing to worry about.
     
    Prorootect likes this.
  12. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    -I've posted new topic about source viewers: Add-on - Extension source viewer/inspector

    - then I've responded to you in the Add-on - ContentBlockHelper stopped working! thread.

    Thank you Tsiehshi!
     
  13. Tsiehshi

    Tsiehshi Level 1

    Nov 11, 2017
    43
    118
    Somewhere
    #53 Tsiehshi, Nov 30, 2017
    Last edited: Nov 30, 2017
    Fake Facebook ColorZilla

    [expletive deleted] is this permissions section?!:
    Code:
        "permissions": [
            "clipboardRead",
            "clipboardWrite",
            "browser",
            "alarms",
            "contextMenus",
            "storage",
            "notifications",
            "syncFileSystem",
            "app.window.fullscreen.overrideEsc",
            {
                "fileSystem": [
                    "write",
                    "retainEntries",
                    "directory"
                ]
            }
        ],
    Meaning it can potentially read and modify your clipboard, store and sync data, lock your browser in full-screen mode AND control your local files. I wrote "potentially", because fortunately it actually doesn't do any of it (but still makes your browser more exploitable). For the ability to change the color of HTML elements, there must be some kind of an element reference (getElementsBy/getElementBy/querySelector/CSS or jquery selectors etc.) inside a piece of code using a browser tab, but there's none. It doesn't even interact with cookies, pages and tabs apart from opening a tab when it's installed, uninstalled and every 3 hours regardless. Fake Facebook Unseen and Q-dir have pretty much the same source code apart from some cosmetic changes, so they don't work either.
     
    mlnevese likes this.
  14. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #54 Prorootect, Nov 30, 2017
    Last edited: Nov 30, 2017
    Yes these three very horrific Apps (Productivity section...) "offered by PHEO LANG" on the Chrome store - found if you search on the store for "pheo lang" words:
    Facebook Unseen: Updated: November 8, 2017 Size: 12.04KiB, 300 users;
    Facebook ColorZilla: Updated: November 8, 2017 Size: 17.89KiB, 104 users;
    and Q-dir: Updated: November 14, 2017 Size: 18.77KiB, 9 users - this latest has fun English description, too:

    "Q-dir manage files and folders
    Q-dir portable or the board can function as a windowed interface allows you to manage files and folders on your computer with four. ..." etc etc

    So PHEO LANG love manage the files and folders of not cautious, unsuspecting, unwary users, visibly...
    - thank you Tsiehshi for your interesting comment, we attend your comments about these two other specialities from PHEO LANG [expletive deleted];) cookery!
     
    upnorth and Tsiehshi like this.
  15. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #55 Prorootect, Dec 16, 2017
    Last edited: Dec 16, 2017
    Warning! Fake IMacros Apps On Chrome Web Store
    - on blog.ipswitch.com: Warning! Fake iMacros Apps On Chrome Web Store
    - by Greg Mooney November 9, 2017

    "Warning! It has recently come to our attention that there are a couple of fake apps spoofing our browser automation tool, iMacros on the Chrome Web Store.

    At Ipswitch, we talk a lot about information security. If you are a frequent visitor to theDefrag This blog, then you know we are all about sharing the latest cybercriminal tactics. Our mission on the Defrag This blog is to provide IT professionals with tips to make your job easier and keep you informed on the latest information security trends and issues. That’s why it is critical to bring to your attention that iMacros, an Ipswitch product, is being spoofed on the Chrome Web Store.

    If you have recently downloaded iMacros on the Chrome Web Store, you may be effected. In any event, be wary of anything you download on app stores, since this is becoming a huge vector of attack for hackers.

    Lately, hackers have been targeting Google’s app stores, including the Android Store and Chrome Web Store, creating fake versions of popular apps. Just recently, it came to light that over a million users had downloaded a fake version of WhatsApp. These fake apps install malware on your devices with adverse effects that range from annoying adware to creating backdoors into your devices.

    It just so happens that we recently discovered that an Ipswitch application, iMacros, has been spoofed as well on the Chrome Store. We first noticed and issue on October 25th, when one of our employees saw an app named “iMacros – Browser Automation” by keyholesurgeryknickerbockers.xyz. It seems that this was first updated on October 24th and may be the first time it appeared.

    We immediately reported the issue as abuse to Google and stated that we (Ipswitch) were the real developers of iMacros and the other app is a fake and probably being used as a form a malware. We reported the issue a couple times from multiple accounts to Google, but Google has yet to remove the fake app.

    Another app called iMacros for Chrome appeared on November 1st. We just noticed this fake app this week. We have already gone ahead and reported the issue to Google, but it seems that Google will be slow to respond since they still have not responded to the first fake app we discovered a couple weeks ago.

    You can see what to watch out for in the screenshot below.

    [​IMG]

    As we are getting used to phishing attempts via emails, it is now necessary to always check that the apps we download are the real developer. The developer name is a big indicator whenever an app is being spoofed. If you aren’t sure who the developer is of an app is, you should do a little research online to see if that is the correct app that you want to install...."

    ...read more...

    - but Today, some of these iMacros extensions no longer exist on Chrome Web Store, hopefully for iMacros browser automation tool.
    Found always one FAKE, like from the screenshot above: iMacros Hanzify for Chrome, offered by sites.google.com, Updated: October 30, 2015, 330 users...
    1 chinese comment: "I can't get started."


    And no more Apps link on Chrome Web Store: Extensions and Themes links only.

     
    upnorth, mlnevese, Tsiehshi and 2 others like this.
  16. upnorth

    upnorth Level 11

    Jul 27, 2015
    518
    2,750
    Sweden
    Why do they point there homepage to .net on Googlestore when they cleary have .com? I'm fully aware that developers/vendors can use several domains/subdomains but IMO this confuse as they also use different favicons. Perhaps one part of the whole issue?
     
    Andy Ful and Prorootect like this.
  17. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    Sure.
    Look on the result of clicking imacros.com:
    "Secure Connection Failed
    The connection to the server was reset while the page was loading.
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem."
     
    upnorth likes this.
  18. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,556
    3,775
    0wN3D by my cat!
    #58 Prorootect, Jan 13, 2018 at 9:02 AM
    Last edited: Jan 13, 2018 at 9:08 AM
    Browser hijackers post

    Motto:

    Remove Search.myway.com redirect from Web Browser (Help Guide): on malwaretips.com: Remove Search.myway.com redirect from Web Browser (Help Guide)

    ...We are entering the uncertain, muddy terrain, swamps of Chrome Web Store...


    Very bad myway.com search redirect on Chrome Web Store (beware!): if we search for "myway.com": Chrome Web Store
    - then we find many extensions with myway.com hijacker. Easy, Google.

    "Browsing Guard"
    :
    Version: 1.0.0
    Updated: December 12, 2017
    Size: 76.34KiB
    "Do you know the feeling of somebody constant watching you?...
    That's why we created "Browsing Guard"...
    Easy to use private search by typing 'p' + 'Tab" on your chrome search box..."

    ... then many other suspicious extensions like these: "Identity Guard Safe Browsing", "Pop Guard, Complete Browser Protection !!", "Browser Guard", "Security Guard", "ChromeGuard", "AppGuard", "Fake News Guard", ...etc etc

    Eg. search on the Store for: "Easy to use private search": Chrome Web Store
    - so you have MANY suspicious extensions...
    ________________________________


    Here you have the Results of Chrome Web Store search for: "The application communicates with our servers to deliver its functionality and record usage metrics.":

    "EasyPDFCombine":
    Version: 13.321.12.16045
    Updated: November 7, 2017
    Size: 48.28KiB
    9,263,438 users
    "This extension configures your New Tab page to EasyPDFCombine...
    The EasyPDFCombine extension offers convenient web search, homepage and default search....
    The application communicates with our servers to deliver its functionality and record usage metrics..."

    "FromDocToPDF":
    Version: 13.321.12.16049
    Updated: November 7, 2017
    Size: 52.08KiB
    10,000,000+ users
    "This extension configures your New Tab page to FromDocToPDF...
    The FromDocToPDF extension offers convenient web search and features from the Chrome New Tab page...
    The application communicates with our servers to deliver its functionality and record usage metrics...."

    "MyFunCards":
    Version: 13.321.12.21058
    Updated: November 10, 2017
    Size: 49.44KiB
    859,236 users
    "This extension configures your New Tab page to MyFunCards...
    The MyFunCards extension offers convenient web search and features from the Chrome New Tab page...
    The application communicates with our servers to deliver its functionality and record usage metrics..."

    "iSearch Tab":
    Version: 1.0.0
    Updated: November 16, 2016
    Size: 244KiB
    "This extension configures your New Tab page to iSearch Tab...
    Reset your New Tab Page to iSearch Tab
    Override the new tab page with iSearch Tab and begin searching from your new tab page...
    The application communicates with our servers to deliver its functionality and record usage metrics..."


    etc etc etc ...many many more... link to all these creepy scummy companions, to be found by you (and store developers to stop these): search on the Store for "The application communicates with our servers to deliver its functionality and record usage metrics": Chrome Web Store
    - why Google why
    - money
    - we all see this greed
    so you have 100, or 200, or more malicious extensions, I didn't count them, a lot, very huge number...

    Another very populated results you have, if you search on the Store for: "offers convenient web search": Chrome Web Store
    - so you have another 100, or 200, or more malicious extensions, I didn't count them, a lot, very huge number, many extensions...

    - very easy to search, so why Google, why
    - money
    - but we all see this greed, and we are not secure with your Store ....
     
    molhopicante and upnorth like this.
Loading...