A researcher has uncovered five malicious ad-blocker extensions on the Chrome Web Store that were installed by 20 million Chrome users before Google removed them.
Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.
Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.
According to AdGuard Research, as many as 20 million Google Chrome users have been duped into downloading and installing fake ad block extensions. Yeah, that’s 2 crore Chrome users!
After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:
- AdRemover for Google Chrome™ (10 million+ users)
- uBlock Plus (8 million+ users)
- [Fake] Adblock Pro (2 million+ users)
- HD for YouTube™ (400,000+ users)
- Webutation (30,000+ users)
“Basically, this is a botnet composed of browsers infected with the fake ad-block extensions. The browser will do whatever the command-center server owner orders it to do,” wrote AdGuard co-founder Andrey Meshkov.
Meshkov says the main problem is that extensions are poorly vetted by the Chrome Web Store. The authors of fake extensions are also using keyword spam in the extension description to get a top ranking in the Chrome Web Store for searches for ‘adblocker’.
“Instead of using tricky names, they now spam keywords in the extension description to try to make the top search results,” wrote Meshkov.
There were two other fake ad blockers — ripped off from legitimate ad-blocking code: a fake uBlock Plus with eight million users, and a fake Adblock Pro with two million users. Two more cloned extensions that used similar tactics were HD for YouTube with 400,000 users and Webutation, which has 30,000 users.
A Reddit user in October noticed the same clone of the uBlock Plus extension Meshkov found, meaning they’ve been available on the Chrome Web Store for at least six months. This fact, along with top ranking for queries for ad blocker, explains how the extensions attracted so many users.
Meshkov found the fake AdRemover for Google Chrome included hidden scripts that allow the authors to track websites visited and alter browser behavior.
“They definitely could alter anything on any website if they receive such command from the command server,” Meshkov told ZDNet in an email.
“Also, all five were connecting to the very same command server, and they were using the very same approach — the remote script was hidden inside an image.”
“Google is able to disable and remove Chrome extensions remotely and it seems that this is exactly what is happening,” wrote Meshkov.
As of today, Google had removed most of these fake adblock extensions from the Chrome Web Store. But there might be other possible malware-infected ad block extensions still out there. Browse with care!