Security researchers at AdGuard recently revealed some interesting findings regarding the use of fake ad block extensions. There is evidence that some twenty million Chrome users have been tricked into downloading and installing rogue browser extensions concealed as ad blocking software.
What AdGuard has discovered is that the majority of ad blockers for Google Chrome are in fact rogue rip-offs of legitimate apps. These rip-offs are embedded with malicious code with the sole purpose of spying on users.
Chrome Web Store Flooded with Fake Ad Block Extensions
How are attackers succeeding to full so many users? The authors of the fraudulent extensions used spam keywords and names that are close to the names of legitimate extensions. Examples are Adblock Plus Premium and Adguard Hardline. This is how the researchers explained it:
It’s been a while since different “authors” started spamming Chrome WebStore with lazy clones of popular ad blockers (with a few lines of their code on top of them). That’s how users could end up installing some “Adguard Hardline” or “Adblock Plus Premium” or something like that. The only way of fighting this stuff is to file a trademark violation abuse to Google, and it takes them a few days to take a clone down.
According to this research, the least popular of these rogue extensions was downloaded at least 30,000 times. As for the most popular one, the numbers are staggering – more than 10 million times. The total of all such downloaded cases is approximately 20 million, meaning that 20 million Chrome browsers on users’ computers were affected in one way or another.
The most popular of the fake adblocking extensions is AdRemover for Google Chrome. The extension created a huge botnet of infected browsers which attackers could use as they pleased.
This is not the first case of rogue ad block extensions found on Chrome Web Store. Not too long ago, the Web Store repository was found to feature a counterfeit AdBlock Plus extension which infected thousands of users.
According to the researchers who discovered it, a criminal collective was able to infiltrate the store to their own malware entry which mimics the original extension in a way that makes it virtually impossible to distinguish. They have resorted into using slight name changes (a capitalized “B” letter) and the same image and text description to fool the users into thinking that their copy is the legitimate software. By the time it has been reported the security experts note that the item has been downloaded more than 37 000 times.