Google just kicked out five suspicious ad blockers from its Google store, following industry reports that fake “clones” of legitimate ad blocking tools had got past its verification process, potentially putting over 20 million Chrome users at risk of being hacked.
According to researchers at AdGuard who discovered the problem, “With the current state of things, surfing through the Chrome’s WebStore is like walking through a minefield”. AdGuard recommends, “if you want to install an extension, think twice. And then think twice again. Check who is the author of this extension. Do not install it if you don’t trust the author. Please note, that at some point the extension can be sold to someone else, and who knows what it will become.”
Back in October, news broke that 37,000 Chrome users had downloaded a fake Adblock Plus extension, which was available along with the legitimate extension on Chrome’s official web store. It was difficult to tell that the extension was fake as its developer name is “Adblock Plus”, and it had a considerable number of reviews.
The latest suspicious applications all had similarly sounding legitimate names, bit with much larger user numbers: AdRemover for Google Chrome (10 million users), uBlock Plus (8 million users), Adblock Pro (2 million users), HD for YouTube (400,000 users) and Webutation (30 million users). The software has now been removed from the Chrome Web Store.
However, over the past year, the suspect extensions had been installed on 20 million Chrome instances. This was partly because the authors of the fake extensions were manipulating key words in the extension description to get top rankings in the Chrome Web Store when people searched for “adblocker”.
Once one of these extensions was downloaded, attackers could exploit it to force the victim’s Chrome browser to “do whatever the command center server owner orders it to do”, said AdGuard co-founder Andrey Meshkov. Further, Meshkov said, “Basically, this is a botnet composed of browsers infected with the fake ad-block extensions.” Hackers could track sites the user visited, and alter browser behavior through the hidden scripts in the spoof extensions.
If a user suspects that they may have been hacked, they should immediately check they are not using one of the named ad blocking apps; and if so, they should delete them at once.
“Different companies have different approaches to how third parties can add content to their stores and each has its pros and cons,” Lee Munson, a security researcher for Comparitech, told Newsweek. “While Apple may frustrate with the time it takes for manual approval to be received, Google takes a different approach with a more automated checking process, after the fact.”
“The dangers of this approach are obvious, as seen with fake ad blockers that zombify devices into a botnet,” Munson continued. “I imagine the only way Google can improve this situation is to take a proactive rather than reactive stance on spotting fake extensions. This is likely to take both time and money; it will be interesting to see if this is a cost worth bearing in order to protect its users.”