System-cleaning tool CCleaner is one of the most popular programs of its type in the world. According to Avast, which recently acquired maker Piriform, it boasts over 2 billion worldwide downloads and receives 5 million more each week. But it’s just been reported that up to 2.27 million users were put at risk from a backdoor found in a recent version of the program.
Security firm Cisco Talos warned that version 5.33 of CCleaner, which was downloadable from August 15 to September 11, had been modified to include the Floxif malware. The unaffected version 5.34 was released on September 12, but those who downloaded the tool during the weeks that version 5.33 was available may have unwittingly installed the backdoor.
Update: The exact versions that were infected were the 32-bit version of CCleaner and CCleaner Cloud 1.07.3191. The 64-bit version of CCleaner was not affected.
Floxif can gather information about an infected system and send the data back to a hacker’s server. It can also allow other forms of malware, such as ransomware and keyloggers, to make their way onto a victim's computer.
It’s unclear exactly how the person or persons responsible breached Avast’s systems, but Talos speculates it could have been "an insider with access to either the development or build environments within the organization."
Paul Yung, Piriform’s Vice President of Products, has tried to play down the attack. In a blog post today, he wrote: "The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.”
"Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."
The company said it was working with US law enforcement agencies to discover who was behind the incident. “We apologize and are taking extra measures to ensure this does not happen again," it added.