The security researcher Andrey Meshkov, co-founder of Adguard, has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.
The fake Ad blockers are
The five extensions are clone versions of well-known Ad Blockers, searching for Ad Blockers in Google Chrome Store we can notice that crooks used popular keywords in the extension description in the attempt to display them in the top search results.
“t’s been a while since different “authors” started spamming Chrome WebStore with lazy clones of popular ad blockers (with a few lines of their code on top of them).” wrote Meshkov.
“Just look at the search results. All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the “authors”. Instead of using tricky names they now spam keywords in the extension description trying to make to the top search results.”
The analysis of the code of the Ad Blockers revealed that the developers just added a few lines of code and some analytics code to the code of the legitimate extension.
Meshkov reported his discovery to Google that immediately removed all from the Chrome Store.
The jQuery library includes a script that is able to send information about some websites visited by the users back to a remote server.
“This hidden script was listening to every request made by your browser and compared md5(url + “%Ujy%BNY0O”) with the list of signatures loaded from coupons.txt. When the said signature was hit, it loaded an iframe from the g.qyz.sx domain passing information about the visited page, and then re-initialized the extension.” continues the expert.
The expert noticed that the default image/script does nothing malicious, but it can be changed at any time to perform malicious activity. It is executed in the privileged context (extension’s background page), in this way it has full control of the browser.
The remote server sends commands to the malicious extension, which are executed in the extension ‘background page’ and can change your browser’s behavior in any way.
“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” Meshkov added. “The browser will do whatever the command center server owner orders it to do.”
Meshkov has scanned other extensions on the Chrome WebStore and found four more extensions developed with a very same approach.
Be careful of what you install, install only necessary extensions from trusted developers and company.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.