Over 37,000 Chrome users install fake AdBlock Plus extension

Screenshot: SwiftOnSecurity

An unknown attacker clearly showed that you can penetrate the official Google Web Store extension directory with an extension under a different name, with a different logo - and with the help of search engine optimization and keywords attract tens of thousands of users. The fake AdBlock Plus extension has nothing to do with the original AdBlock Plus , however, as of the evening of October 9, 2017, it was installed by 37,477 users before it caught the attention of SwiftOnSecurity security experts who popped up this information. Only then did Google notice the fake and delete it from the directory.

The fake application has been in the catalog for at least two weeks. At least the first reviews are dated September 26, 2017. As can be seen in the screenshot, users complain that immediately after installation, extraneous advertising appeared in the browser and new tabs began to open arbitrarily. Screenshot: SwiftOnSecurity Apparently, attackers thoroughly approached the promotion of a new extension. He has a decent four-star rating with 158 ratings. It is unlikely that real users gave the fake high marks, so this is probably an artificial cheat. At first glance, the fake is hard to recognize: the number of installations is high, the rating is high, the number of reviews is more than a hundred, the name of the developer is "Adblock Plus". In general, the swindlers competently worked.






Even if we assume that the extensions are accepted in the Web Store without thorough moderation, it is quite logical for Google to at least automatically check for the same extension names. In theory, if an extension with a foreign name is trying to get into the directory, then it should be blocked without discussion. Especially if the name coincides with another extension from among the most popular. As a compromise solution, you can offer to block extensions whose names coincide with the names of the 100 most popular extensions in the catalog.

The same problem with applications in the Google App Store, it would be logical there to expand the limit for duplicates in the names of 1000 applications, that is, 100 in each category. So to say, "elite" applications and extensions that are subject to automatic "brand protection". The point is not in protecting intellectual property, but in protecting users who are looking for applications and extensions by well-known names - and can become victims of scammers promoting malware using these keywords.

Even a simple name lock will clear the Google Web Store of many left-handed extensions. Now there are dozens "Ad blockers" that completely block nothing or simply replace one advertisement with another, but at the same time have the words "AdBlock" or "uBlock" in the title (or even both of these words, for reliability).



Another potential hole in the extension system for the Chrome browser is that the user is not able to disable the automatic update of already installed extensions. So even a decent and respectable extension after the upgrade can turn into an advertising spam distributor. They say that some developers even make money from this: they create some kind of useful extension, gain a user base - and then sell it.

In the current story, the creators of the original AdBlock Plus cannot be envied. Unlike competitor uBlock, AdBlock Plus developers are already conducting a dubious business, accepting payment from sites that want to include themselves in the “white list”, where ads are not blocked. That is, AdBlock Plus already had a tarnished reputation, and now it has deteriorated even more due to the wrong of others. Many deceived users express their dissatisfaction in the comments specifically to the original AdBlock Plus, although it has nothing to do with this scam.

In 2015, Google blocked the easy installation of Chrome extensions from third-party sites. Remained the ability to install only from the official catalog, the rest of the extensions require special permission. The reason then was called protecting users from malicious extensions, and this measure really had an effect. But now we see that the attackers managed to adapt - and found ways to get into the official catalog. Moreover, they found ways to fraudulently obtain permission to install malicious extensions from extraneous sites. So it was in the case of a clever phishing attack with a hidden installation of a malicious extension called "Google Docs" from " Eugene Pupov ."