On Tuesday AdGuard Research revealed that as many as 20 million Chrome users have been tricked into downloading and installing fake ad blocking extensions.
According to researchers, the extensions are nothing more than “rip-offs” or clones of legitimate ad blockers that hackers have embedded with malicious code then renamed. They use names similar to popular extensions like “Adblock Plus Premium” and “Adguard Hardline” to get them ranked higher in searches and to fool users into thinking they are additional offerings from famous brands. Even AdGuard itself has been spoofed.
The company says that there is not much that can be done about these fakes other than filing trademark complaints with Google to have them taken down. However, this takes a few days in which time thousands of people can still download the malware.
This is a problem because of the five fake extensions that the AdGuard looked at; the least popular one had been downloaded over 30,000 times. Another had been grabbed by unaware users more than 10 million times. All totaled, the five fake extensions have been installed on over 20 million browsers.
AdGuard notified Google of the bogus extensions and as of today they have been removed from the Chrome Web Store. However, there could still be others floating around. So be warned.
According to AdGuard’s Andrew Meshkov, the malware collects and sends browsing history and other personal information to a server. The server then sends commands to the browser within a weird, but seemingly innocent image. The browser then executes the scripts contained in the picture.
“Basically, this is a botnet composed of browsers infected with the fake adblock extensions. The browser will do whatever the command center server owner orders it to do,” said Meshkov.
I am not even going to pretend that I know how these beasts actually work, but if you are curious, Meshkov did a pretty good write-up on all the technical details on the AdGuard blog.
The company suggests being careful when looking for an ad blocker and to read descriptions of any extension before downloading. Many hackers tend to spam the product blurb full of keywords to ensure they get a high search rank. Descriptions like this are a dead giveaway that the software is fake.
Also, check to see that the extension is from a trusted author or company, but be careful. Savvy hackers will sometimes try to spoof a legitimate company’s account authorship by altering it by one letter or punctuation mark. When in doubt, don’t download it.