Chrome Web Store FAIL: 300+ More Scam Browser Extensions

A researcher has found more malware in Google’s store. This is supposed to be the place where Google publishes vetted browser extensions.

Obviously, that vetting’s not working. And the two processes for reporting bad extensions are also broken.

It’s not as if Chrome was in any way important or widely used. In today’s SB Blogwatch, we’re suitably sarcastic.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Rethinking airline safety announcements.


GOOG Asleep at the Switch

What’s the craic? Catalin Cimpanu reports—“Chrome extensions caught hijacking … search results”:

 More than 80 million Chrome users have installed one of 295 Chrome extensions that hijack and insert ads inside Google and Bing search results. [The] extensions loaded malicious code from the fly-analytics.com domain, and then proceeded to quietly inject ads.

The [researcher] also details additional bad practices on the Chrome Web Store, such as store moderators allowing a large number of copycat extensions to clone popular add-ons, capitalize on their brands, reach millions of users, while also containing malicious code that performs ad fraud or cookie stuffing.

When Google removes an extension from the Chrome Web Store for malicious activity, the extension is also disabled in users’ browsers and marked as “malware” in Chrome’s Extension section. [But] users still have to manually uninstall it.

And Venkat Eswarlu independently finds one—“Popular Chrome Screenshot Extension is injecting Ads”:

 If you’ve installed Ad Blocking extension and still noticing ads on Google Search results page in Chrome, that probably has to do with Extensions you’ve installed. … Google Chrome extension “Screenshot & Screen Capture Elite,” with over 1 million user installs, is reportedly injecting ads into Google Search results pages.

Recently posted reviews by users reveal what the extension is doing behind the scenes. … A user left comment two days back with a message, “This extension will add unrelated ads on top your Google search results.”

The extension has been reported [but] is still on the Chrome Web Store. If you’re using the extension, uninstall it immediately.

[It] is also available on Edge add-ons Store with different icon and another publisher name, but it is the same extension.

Who discovered them? AdGuard’s Andrey Meshkov tells us how to report the problem to Google:

 Click the ‘Report abuse’ button and … you guessed it, nothing gets done. These extensions keep occupying top positions in the Store and doing their dark deeds. … The problem with that button is that it doesn’t lead to any result.

Last year Google included Chrome extensions into their bug bounty program. … My report on extensions from the first group was accepted … however, three weeks have already passed since then. Most of these extensions are still available … and there’s no reaction from Google.

There are three distinguishable groups of browser extensions.

  1. An entire cluster of 295 extensions with over 80 million users combined (although I suspect that this number is in part caused by bots). These extensions use a very inventive way to insert ads into Google’s search results. … It loads an image from lh3.googleusrcontent.com … this domain has nothing to do with Google. … This loaded image has ads ‘coded in’ [with Steganography], and it tries to insert these ads.
  2. Extensions that are involved in … ’cookie stuffing’ and ‘ad fraud’ … silently setting special “affiliate” cookies … so when the user makes a purchase, the extensions owner will be paid a commission … They even reuse the same code! … It’s a pity that Google … can’t automatically weed out such browser extensions.
  3. Spam extensions that are like time bombs. … Fake popular extensions clones with undeniably cheated number of active users. … They can start doing some shady stuff at any second. … I couldn’t even count them all.

Flame on! Required Snark needs to be excoriating:

 It’s clear from the discovery that Google has zero interest in protecting Chrome users. [The] extensions … are all simple, and they all hijack results. How hard can this be to find?

The only possible conclusion is that Google only cares about the data they collect and if someone else rips off their users, so what?

Where are the PR spokesdroids? Jake Moore is ESET’s rent-a-quote: [You’re fired—Ed.]

 Browser extensions can be extremely useful and come with thousands of benefits. But you should remain cautious when you download anything.

Being vigilant about extensions usually means reading the reviews and checking how many downloads there have been. But in many cases this still isn’t enough. … Google can’t ever guarantee 100% security on all of its third party add-ons, so you must be careful and reduce excess access to your machine and your data.

But wait, Why isn’t Google policing it better? This Anonieme Bloodaard is lost in translation:

 Shouldn’t the average consumer have complete confidence in the offered extensions … in the Google Store? Surely you cannot expect a non-technical consumer to judge for themselves whether something is legitimate?

This was once the added value of an App Store: that there is control over what comes up, so that it would be a safe source, versus manually downloading. … Unfortunately the reality is different.

Is there a better way? jellomizer spits out the Kool-Aid:

 Apple’s infamous walled garden approach unfortunately is currently the safest model for consumers. In which products can get rejected if they don’t meet Apple’s guidelines.

This does suck as there’s software you may want to get—such as emulators—that Apple will not allow. But the products you do get off of Apple tends to work rather well and not damage your device as often.

But I thought crowds were wise. People are dumb, thinks d0x360:

 Years ago I would use the number of users to help determine if something was safe—of course this was when fake extensions or damaging ones were more rare. Then I remembered most people online are dumb, [so] that wasn’t a good way to determine anything.

I’ve got a few extensions that I’ve been using for years now. I always tested them in a VM to make sure they actually did as claimed but even that isn’t enough.

Google needs to gut the extension system and fix as many of its security issues as possible.

Meanwhile, fustakrakich is frustratedich:

 Do adults actually download that ****?

And Finally:

Honesty is the best policy

Warning: Naughty words beginning with S, F and C.

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Kirill Makarov (cc:0)

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 219 posts and counting.See all posts by richi