Over 37,000 Chrome Users Installed a Fake AdBlock Plus Extensions

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
FakeGoogleChromeExtension.jpg


Google has removed a malicious extension from its Chrome Web Store that posed as the popular AdBlock Plus ad blocker but forcibly opened new tabs to show ads to users.

Discovered by a security researcher going by the pseudonym of SwiftOnSecurity, the extension [1, 2] had over 37,000 users at the time it was taken down late last night.


Not entirely Google's fault
As the researcher points out in a Twitter tirade aimed at Google's staff, the problem was that Google allowed another developer to upload an extension with the same name to another.

"Google allows 37,000 Chrome users to be tricked with a fake extension by [a] fraudulent developer who clones popular name and spams keywords," the expert said. "Legitimate developers just have to sit back and watch as Google smears them with fake extensions that steal their good name."

Users could have spotted the fake extension based on the blob of unrelated keyboards the fraudulent developer added to the extension's description. These hot keywords allowed the fake extension to pop up in unrelated search queries.

Also, if users checked the extension's Reviews tab they could have also averted a disaster, as most users decried the extension's abusive tab-opening behavior.

FakeGoogleChromeExtensionReviews.jpg

Situations like these happen because the process of uploading extensions on the Chrome Web Store is automated and Google employees only intervene following situations like these. This automated process has allowed Google to build its Web Store, which has surpassed Mozilla's add-ons repository to become the biggest browser extensions portal among all browsers.

For this particular case, it appears that the extension's developer might have used a different ID from the one used by the original AdBlock Plus extension and might have taken advatange of a homograph attack using Cyrilic characters in the extension's ID to bypass Google's Web Store checks.
 

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
^^ yeah... ....before installing anything on my machines i'm always checking many (security) boards, security sites etc. to be sure that my software is 'clean'... ...and of course before installing i'm checking everything on sites like virustotal.com, virusscan.jotti.org etc.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top