Extensions are popular among users of Google Chrome, Microsoft Edge, and other web browsers. These programs, which are often free, let users personalize and add new features to their browsers. However, extensions are also popular among cybercriminals. They like to offer free ones that are laced with malicious code. Hackers often clone a legitimate extension, add malicious components to it, and peddle the counterfeit program through online stores such as the Chrome Web Store. To help get their bogus program high in the store’s search engine results, they spam keywords in the extension’s description.
The April 2018 discovery of fake ad blockers in the Chrome Web Store highlights just how effective this ploy can be. More than 20 million people downloaded three malicious ad blockers from the store, according to the security researchers who discovered them.
After the researchers notified Google about the bogus ad blockers, Google pulled them from the Chrome Web Store. The three malicious ad blockers removed were:
- AdRemover for Google Chrome (downloaded by more than 10 million people)
- uBlock Plus (downloaded by more than 8 million people)
- Adblock Pro (downloaded by more than 2 million people)
In the case of the bogus AdRemover extension, researchers found that it tracked the websites users were visiting and sent the data back to the hackers. Even worse, cybercriminals were able to send commands to the program, which the browsers executed in a privileged context. As a result, the browsers did whatever the hackers ordered it to do.
How to Avoid Malicious Extensions
While the three fake ad blockers have been removed from the Chrome Web Store, many other malicious programs are likely lurking in it and other stores offering extensions. For this reason, security experts recommend not installing any extensions.
If that’s not an option, you should thoroughly research any extension you want to download. As the bogus AdRemover program demonstrates, fake extensions can be found in well-known stores (Chrome Web Store), be very popular (more than 10 million downloads), and be high in search engine results (No. 2 spot in the store’s search engine results). For this reason, you should find out and investigate the developer of any extension you want to use. If you do not trust the developer, do not install the extension.
Even checking out the developer is not foolproof. The developer might sell the extension to another person, who might then add malicious code. That is what happened with the YouTube+ extension, a simple tool that was initially designed to let users customize some of YouTube’s features. The extension’s developer sold it to a company, which changed the name to Particle. But that is not the only change the company made. It added new privileges and a new folder containing malicious code that turned the extension into adware. The company then released an update, which uploaded the changes to users’ extensions. Users were never notified about the extension having a new owner or the kind of changes made by the update.
What to Do If You Downloaded an Ad Blocker
While some media outlets are reporting that Google has remotely removed the counterfeit extensions from users’ Chrome web browsers, Google has not officially confirmed or denied this. So, if you downloaded an ad blocker from the Chrome Web Store, it is a good idea to make sure it is a legit one.
A good place to start is to see whether an ad blocker is listed on the Extensions page in your Chrome web browser. Open your Chrome web browser and follow these steps:
- Click the three vertical dots in the upper right corner.
- Select “More tools”.
- Click “Extensions”.
If you see an ad blocker listed on the Extensions page, you might consider investigating it, even if its name does not match any of the three previously listed. Other fake ad blockershave been found. Plus, some counterfeit ad blockers likely haven’t been discovered since these programs often work as advertised so people do not suspect that malicious code is running in the background. We can help you investigate your ad blocker or any other extension you have installed in your browser to make sure it is safe to use.