At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store

Pierluigi Paganini April 20, 2018

A security researcher has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.

The security researcher Andrey Meshkov, co-founder of Adguard, has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.

The fake Ad blockers are

  • AdRemover for Google Chrome™ (10 million+ users)
  • uBlock Plus (8 million+ users)
  • [Fake] Adblock Pro (2 million+ users)
  • HD for YouTube™ (400,000+ users)
  • Webutation (30,000+ users)

The five extensions are clone versions of well-known Ad Blockers, searching for Ad Blockers in Google Chrome Store we can notice that crooks used popular keywords in the extension description in the attempt to display them in the top search results.

t’s been a while since different “authors” started spamming Chrome WebStore with lazy clones of popular ad blockers (with a few lines of their code on top of them).” wrote Meshkov.

“Just look at the search results. All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the “authors”. Instead of using tricky names they now spam keywords in the extension description trying to make to the top search results.”

malicious ad blockers

The analysis of the code of the Ad Blockers revealed that the developers just added a few lines of code and some analytics code to the code of the legitimate extension.

Meshkov reported his discovery to Google that immediately removed all from the Chrome Store.

The malicious code includes a modified version of jQuery library that hides the code to load the coupons.txt a strange image from a third-party domain http://www[.]hanstrackr[.]com.

The jQuery library includes a script that is able to send information about some websites visited by the users back to a remote server.

“This hidden script was listening to every request made by your browser and compared md5(url + “%Ujy%BNY0O”) with the list of signatures loaded from coupons.txt. When the said signature was hit, it loaded an iframe from the g.qyz.sx domain passing information about the visited page, and then re-initialized the extension.” continues the expert.

The expert noticed that the default image/script does nothing malicious, but it can be changed at any time to perform malicious activity. It is executed in the privileged context (extension’s background page), in this way it has full control of the browser.

The remote server sends commands to the malicious extension, which are executed in the extension ‘background page’ and can change your browser’s behavior in any way.

“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” Meshkov added. “The browser will do whatever the command center server owner orders it to do.”

Meshkov has scanned other extensions on the Chrome WebStore and found four more extensions developed with a very same approach.

Be careful of what you install, install only necessary extensions from trusted developers and company.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Ad Blockers, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment