Over 20 Million Users Installed Malicious Ad Blockers From Chrome Store

Discussion in 'Security and Anti-Virus Software' started by Dr. AMK, Apr 20, 2018.

  1. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,855
    Messages:
    1,368
    Likes Received:
    2,880
    Trophy Points:
    181
    Over 20 Million Users Installed Malicious Ad Blockers From Chrome Store
    [​IMG]

    If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked.

    A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users.

    Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details.


    Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.

    Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.
    "All the extensions I've highlighted are simple rip-offs with a few lines of code and some analytics code added by the authors," Meshkov says.
    [​IMG]
    After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:


    • AdRemover for Google Chrome™ (10 million+ users)
    • uBlock Plus (8 million+ users)
    • [Fake] Adblock Pro (2 million+ users)
    • HD for YouTube™ (400,000+ users)
    • Webutation (30,000+ users)

    Meshkov downloaded the ‘AdRemover’ extension for Chrome, and after analyzing it, he discovered that malicious code hidden inside the modified version of jQuery, a well-known JavaScript library, sends information about some websites a user visits back to a remote server.

    Also Read: Someone Hijacks A Popular Chrome Extension to Push Malware

    The malicious extension then receives commands from the remote server, which are executed in the extension 'background page' and can change your browser's behavior in any way.


    To avoid detection, these commands send by the remote server are hidden inside a harmless-looking image.
    "These commands are scripts which are then executed in the privileged context (extension's background page) and can change your browser behavior in any way," Meshkov says."Basically, this is a botnet composed of browsers infected with the fake Adblock extensions," Meshkov says. "The browser will do whatever the command center server owner orders it to do."The researcher also analyzed other extensions on the Chrome Store and found four more extensions using similar tactics.

    Also Read: Malicious Chrome Extension Hijacks CryptoCurrencies and Wallets

    Since browser extension takes permission to access to all the web pages you visit, it can do practically anything.

    So, you are advised to install as few extensions as possible and only from companies you trust.
     
    hmscott and Maleko48 like this.
  2. Maleko48

    Maleko48 Notebook Evangelist

    Reputations:
    153
    Messages:
    632
    Likes Received:
    475
    Trophy Points:
    76
    I JUST got the warning about Webutation this morning. I have had it installed for a long time. I don't know if it was malicious when first released but it certainly seems to be now.

    WebutationExtension_Malware.png

    Do you know if having legitimate uBlock Origin installed alongside these malicious extensions was enough to block any of their attempted communications or data sifting?
     
    Dr. AMK likes this.
  3. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,855
    Messages:
    1,368
    Likes Received:
    2,880
    Trophy Points:
    181
    It's not enough.
    Imitation uBlock Origin app spotted on Chrome Store
     
    Maleko48 likes this.
  4. Maleko48

    Maleko48 Notebook Evangelist

    Reputations:
    153
    Messages:
    632
    Likes Received:
    475
    Trophy Points:
    76
    Thanks for the info, just double checked and my uBlock Origin is in fact original and not a fake. Now I am wondering what Webutation was up to for the 2+ weeks it was known to be malicious. (Who knows how long it has really been though.)
     
    hmscott likes this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,006
    Messages:
    17,590
    Likes Received:
    21,611
    Trophy Points:
    931
    It's hard to understand how so many people loaded those obvious fakes, and why instead to not load the top picks for the search which are the real ones.

    Did your Webutation extension get updated to the malicious one, or was the service itself just using the previously good service to do new malicious things? Did the software get perverted or the service, or both?
     
    Maleko48 likes this.
  6. Maleko48

    Maleko48 Notebook Evangelist

    Reputations:
    153
    Messages:
    632
    Likes Received:
    475
    Trophy Points:
    76
    I had Webutation installed for years (never really relied on it or used it but I would notice its rating for various sites I browse). I really don't believe it was malicious when I first installed it. I think it was sold out or compromised some other way myself. There are documented examples of apps and extensions selling out to the highest bidder that then turns them malicious until their user base dies off.
     
    hmscott likes this.
  7. Maleko48

    Maleko48 Notebook Evangelist

    Reputations:
    153
    Messages:
    632
    Likes Received:
    475
    Trophy Points:
    76
    There is suspiciously nearly no recent articles pointing out Webutation being compromised. Even just googling "Webutation" turns up old and obscure results. Either it was just never really popular or taken seriously or they've put some effort into cleaning search queries of their name. Even this MUO article still has it on its recommended list of extensions and it was recently updated in March of 2018!

    https://www.makeuseof.com/tag/best-chrome-security-extensions/
     
    hmscott likes this.
  8. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,006
    Messages:
    17,590
    Likes Received:
    21,611
    Trophy Points:
    931
    These searches turn up plenty of hits, and it's recent, so more should be forthcoming over time:

    https://www.google.com/search?q=Webutation+compromised+malware

    https://www.google.com/search?q=Webutation+compromised+malware&source=lnt&tbs=qdr:m&sa=X

    https://blog.sucuri.net/2015/07/webutation-distributing-malware-through-safety-badge.html
     
    Last edited: May 5, 2018
    Maleko48 likes this.
  9. Maleko48

    Maleko48 Notebook Evangelist

    Reputations:
    153
    Messages:
    632
    Likes Received:
    475
    Trophy Points:
    76
    Yes if you add those extra words. I meant just googling "Webutation" alone.

    Most other products with a significant breach would show tons of hits revealing their recently being compromised when googling the product's name is all I am getting at.

    Most people won't think to add "malware" or "compromised" for something with the utility and purpose of Webutation.

    If I recall correctly, Webutation has been around since ~2010 ish hence many people thinking it's pretty reputable especially since many websites used to carry it's badging back in the day.
     
    hmscott likes this.
  10. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,006
    Messages:
    17,590
    Likes Received:
    21,611
    Trophy Points:
    931
    That's how I check out everything before I install it, doing a series of searches on the product name first. I recommend this for everyone to search about an app before installing it.

    malware / problems / alternative / better than/ home page / last update / best version / support / support forum / etc - any keywords appropriate I think of at the time to help me decide if something is worth my time installing and testing, will it do the job and is it safe, pretty basic first things to find out before using a new tool.
     
    Maleko48 likes this.
Loading...

Share This Page