Fake AdBlock Plus Chrome Extension Installed By More Than 30,000 Users

A malicious extension posted to Google’s official Chrome Web Store that posed as a popular ad-blocking utility was installed by more than 30,000 users before Google removed it, according to a researcher.

The anonymous researcher, who uses the pseudonym SwiftOnSecurity, said the fraudulent extension posted as AdBlock Plus, a popular browser add-on with more than 10 million users.

Extension fraud

The malicious tool used the same name as AdBlock Plus and appeared identical, but when installed forced the browser to open new tabs that displayed ads.

SwiftOnSecurity said the fact that the extension was so evidently fraudulent, using the name of a well-known tool and including a list of unrelated keywords in its description to improve search results, raised questions about Google’s filtering processes for the Chrome Web Store.

At the time the false extension was removed about 37,000 users had installed it, SwitfOnSecurity said in a Twitter post.

“Google allows 37,000 Chrome users to be tricked with a fake extension by fraudulent developer who clones popular name and spams keywords,” the researcher wrote, adding, “Legitimate developers just have to sit back and watch as Google smears them with fake extensions that steal their good name.”

Users noted that while the false extension’s publicly visible name was “AdBlock Plus”, its extension ID included non-Latin characters that differentiated it from the genuine software while maintaining a similar appearance, a technique that may have fooled Google’s filters.

The malicious tool’s extension ID was ‘аdвiосk-рiuѕ’, rather than ‘adblock-plus’users reported on Twitter.

Malicious tools

Google applies automated filters to vet Chrome Web Store uploads, only examining submissions manually if they’re reported as problematic.

Social media users noted that many of those who downloaded the tool gave it negative reviews that mentioned the advert-displaying tabs.

Nevertheless, the fraudulent software maintained a four-star rating out of five.

Since 2013 Google has made extensions available only from the official Chrome Web Store in order to improve security, but has had difficulties keeping even that repository clear of malicious code.

In August researchers Proofpoint reported hackers had installed malicious code in a number of legitimate extensions after obtaining access to their developers’ Google accounts. The incident allowed the attackers to hijack the web traffic of those extensions’ users. Proofpoint didn’t identify which extensions were compromised.

In 2015 a malicious extension masquerading as a screenshot utility was also found to be listening in on users’ traffic.

Do you know all about security in 2017? Try our quiz!