Over 20 Million Users Installed Malicious Ad Blockers From Chrome Store

Over 20 Million Users Installed Malicious Ad Blockers From Chrome Store


If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked.

A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users.

Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details.


Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.

Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.
"All the extensions I've highlighted are simple rip-offs with a few lines of code and some analytics code added by the authors," Meshkov says.

After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:

• AdRemover for Google Chrome™ (10 million+ users)
• uBlock Plus (8 million+ users)
• [Fake] Adblock Pro (2 million+ users)
• HD for YouTube™ (400,000+ users)
• Webutation (30,000+ users)

Meshkov downloaded the ‘AdRemover’ extension for Chrome, and after analyzing it, he discovered that malicious code hidden inside the modified version of jQuery, a well-known JavaScript library, sends information about some websites a user visits back to a remote server.

Also Read: Someone Hijacks A Popular Chrome Extension to Push Malware

The malicious extension then receives commands from the remote server, which are executed in the extension 'background page' and can change your browser's behavior in any way.


To avoid detection, these commands send by the remote server are hidden inside a harmless-looking image.
"These commands are scripts which are then executed in the privileged context (extension's background page) and can change your browser behavior in any way," Meshkov says."Basically, this is a botnet composed of browsers infected with the fake Adblock extensions," Meshkov says. "The browser will do whatever the command center server owner orders it to do."The researcher also analyzed other extensions on the Chrome Store and found four more extensions using similar tactics.

Also Read: Malicious Chrome Extension Hijacks CryptoCurrencies and Wallets

Since browser extension takes permission to access to all the web pages you visit, it can do practically anything.

So, you are advised to install as few extensions as possible and only from companies you trust.

 

I JUST got the warning about Webutation this morning. I have had it installed for a long time. I don't know if it was malicious when first released but it certainly seems to be now.



Do you know if having legitimate uBlock Origin installed alongside these malicious extensions was enough to block any of their attempted communications or data sifting?

 

It's not enough.
Imitation uBlock Origin app spotted on Chrome Store

 

Thanks for the info, just double checked and my uBlock Origin is in fact original and not a fake. Now I am wondering what Webutation was up to for the 2+ weeks it was known to be malicious. (Who knows how long it has really been though.)

 

It's hard to understand how so many people loaded those obvious fakes, and why instead to not load the top picks for the search which are the real ones.

Did your Webutation extension get updated to the malicious one, or was the service itself just using the previously good service to do new malicious things? Did the software get perverted or the service, or both?

 

I had Webutation installed for years (never really relied on it or used it but I would notice its rating for various sites I browse). I really don't believe it was malicious when I first installed it. I think it was sold out or compromised some other way myself. There are documented examples of apps and extensions selling out to the highest bidder that then turns them malicious until their user base dies off.

 

There is suspiciously nearly no recent articles pointing out Webutation being compromised. Even just googling "Webutation" turns up old and obscure results. Either it was just never really popular or taken seriously or they've put some effort into cleaning search queries of their name. Even this MUO article still has it on its recommended list of extensions and it was recently updated in March of 2018!

https://www.makeuseof.com/tag/best-chrome-security-extensions/

 

These searches turn up plenty of hits, and it's recent, so more should be forthcoming over time:

https://www.google.com/search?q=Webutation+compromised+malware

https://www.google.com/search?q=Webutation+compromised+malware&source=lnt&tbs=qdr:m&sa=X

https://blog.sucuri.net/2015/07/webutation-distributing-malware-through-safety-badge.html

 

Yes if you add those extra words. I meant just googling "Webutation" alone.

Most other products with a significant breach would show tons of hits revealing their recently being compromised when googling the product's name is all I am getting at.

Most people won't think to add "malware" or "compromised" for something with the utility and purpose of Webutation.

If I recall correctly, Webutation has been around since ~2010 ish hence many people thinking it's pretty reputable especially since many websites used to carry it's badging back in the day.

 

That's how I check out everything before I install it, doing a series of searches on the product name first. I recommend this for everyone to search about an app before installing it.

malware / problems / alternative / better than/ home page / last update / best version / support / support forum / etc - any keywords appropriate I think of at the time to help me decide if something is worth my time installing and testing, will it do the job and is it safe, pretty basic first things to find out before using a new tool.

 

I'm just thankful I have had no negative impacts to my secure and sensitive information to date.

I will definitely be more scrutinizing from here on out. It was just that **** brand loyalty and age that stuck with me from a long time ago that kept me from questioning something with the exact opposite purpose and intent in its funtionality.

I try out lots of extensions. Some I remove completely, while others I just turn off in case I want to use them again later. Thankfully Chrome has built in safeguards to disable these malicious extensions outright once they're known to be malicious.

I used to only keep a few essential extensions active due to RAM limitations on my old laptop, but now that I've got 16GB on my new laptop I have been leaving more extensions enabled lately. Go figure. Smh.

 

Being more security / privacy proactive isn't a luxury any longer, we need to make it part of our routine, including making a sweep through all of our software regularly for updates, patches, and compromises.