Over 37,000 Chrome users install fake AdBlock Plus extension

Screenshot: SwiftOnSecurity

An unknown attacker clearly showed that it is possible to penetrate into the official Google Web Store extensions directory with an extension under a strange name, with a strange logo - and attract tens of thousands of users with search engine optimization and keywords. The fake AdBlock Plus extension has nothing to do with the original AdBlock Plus , however, as of the evening of October 9, 2017, 37,477 users had installed it before it attracted the attention of SwiftOnSecurity security experts, who announced this information. Only then did Google notice the fake and removed from the directory.

The fake application has been in the directory for at least two weeks. At least the first reviews are dated September 26, 2017. As you can see in the screenshot, users complain that immediately after installation, a third-party advertisement appeared in the browser and new tabs began to open arbitrarily.


Screenshot: SwiftOnSecurity
')
Apparently, the attackers thoroughly approached the promotion of a new expansion. He has a decent rating of four stars with 158 ratings. It is unlikely that real users gave fake high marks, so this is probably an artificial cheat. At first glance, fake is hard to recognize: the number of installations is large, the rating is high, the number of reviews is more than a hundred, the name of the developer is "Adblock Plus". In general, scam artists wisely worked.

Even if we assume that extensions are accepted in the Web Store without careful moderation, it’s quite logical for Google to make at least an automatic check for the same extension names. In theory, if an extension with another name is trying to penetrate into the directory, it should be blocked without discussion. Especially if the name coincides with another extension from among the most popular. As a compromise solution, you can suggest blocking extensions whose names coincide with the names of the 100 most popular extensions in the catalog.

The same problem with applications in the Google App Store, it would be logical to extend the limit on duplicates in the names by 1000 applications, that is, 100 in each category. So to say, "elite" applications and extensions that are subject to automatic "brand protection". The point is not in the protection of intellectual property, but in the protection of users who are looking for applications and extensions by well-known names - and may become victims of fraudsters promoting malicious programs with these keywords.

Even a simple lock on the name will clear the Google Web Store from the set of "left" extensions. Now there are dozens of “ad blockers” that do not block anything at all or simply replace one ad for another, but at the same time have the words “AdBlock” or “uBlock” in the title (or even both, for reliability).



Another potential hole in the system extensions for the Chrome browser is that the user does not have the ability to disable the automatic update of already installed extensions. So even a decent and respectable extension after the update can turn into an advertising spammer. They say that some developers even make money on it: they create some useful extension, dial a user base - and then sell it.

In the current history of the creators of the original AdBlock Plus will not envy. Unlike the uBlock competitor, the developers of AdBlock Plus and so lead a dubious business, taking payment from sites that want to include themselves in the "white list", where advertising is not blocked. That is, AdBlock Plus already had a tarnished reputation, and now it has deteriorated even more due to someone else's fault. Many deceived users express their dissatisfaction in the comments to the original AdBlock Plus, although he has nothing to do with this scam.

In 2015, Google blocked the simple installation of Chrome extensions from third-party sites . It remains possible to install only from the official catalog, other extensions require special permission. The reason then was called the protection of users from malicious extensions, and this measure really had an effect. But now we see that the attackers managed to adapt - and found ways to get into the official directory. Moreover, they found ways to fraudulently obtain permission to install malicious extensions from foreign sites. So it was in the case of a clever phishing attack with a hidden installation of a malicious extension called "Google Docs" from " Evgeny Pupov ."