Criminals are targeting Google's Chrome Web browser, buying up popular plugins and then modifying them to display ads, track users, and deliver malware.
This is a worrying development for enterprises, which may find their users and data exposed to malware, despite exercising control over browser deployment. Parallel developments in malicious advertising make this a particularly dangerous situation, with adware, spyware and malware exposure accelerating.
Browser plugins in the crosshairs
For years, users (and IT departments) have been plagued with malicious browser add-ons: Internet Explorer toolbars were a notorious source of desktop support headaches. Now the focus is shifting to a new battleground, with new tactics. Browser extensions are a popular way to add functionality to a Web browser, such as quickly sharing an open page with social networks, managing passwords, or blocking ads. Most are legitimate, and many have user bases numbering in the millions.
Google's Chrome is a tempting target because its automatic update facility allows an extension author to push new code to its users. Provided it doesn't require additional permissions, the users will be unaware of the change. This allows an attacker to purchase the plugin from the original developer, add malicious code, and deploy it automatically.
One of the most common modifications adds tracking code, reporting a user's Web browsing habits. Numerous extension authors report being approached by tracking companies asking for tracking code to be added, and willing to pay top dollar for such data. If that fails, buying the entire project outright, putting it under control of the tracker, is the last resort.
Another common attack is to insert advertising into pages, often replacing existing ads with new ones, gaining revenue for the extension's controller. Google's terms and conditions explicitly forbid this practice, but that does little to deter the criminals.
And this is particularly dangerous when coupled with another attack vector on the rise: malicious ads. Subverted extensions are commonly used to promote fake anti-virus, displaying a warning message that possible infection has been detected and prompting the user to download a software remedy. That software then requests payment for a full cleanup or installs further malware of its own.
Even if the plugin author intends to display only innocent ads, these too can be subverted to attack users.
Malvertising
Ad networks are being targeted to deliver malware already. Yahoo experienced a high-profile subversion of its ad network earlier this year, DailyMotion fell victim a few days later, and then local news site Mail and Guardian experienced a similar attack. Ad networks are a popular target for criminals, offering a wide audience of targets.
Coupled with trusted browser extensions, able to update code at will and able to inject ads (or any material) into any page, and you have an ideal malware delivery vehicle.
The author of the popular "Honey" extension explained the process in great detail, claiming to have been approached by several suspicious potential buyers. While he rebuffed those approaches, others are not so reluctant. If anything, the problem is likely to grow: there are many avenues for abuse, such as cloning a popular extension (trivially easy since the extensions are self-contained) and promoting it until a sellable userbase is achieved.
Like browser, like phone
Ad networks have also been targeted on Android phones, with proof of concept attacks demonstrating how phone ad networks can be subverted to deliver malware or steal information. There are similarities here: like the browser extensions, many phone apps request overly broad access to the host device, are able to update code on the fly, can be transferred to a malicious third party without the user's knowledge, and expose a broad audience of potential victims. Although several platforms were shown to be vulnerable, Android's more trusting approach leaves it more open than most.
Not for nothing is Android the target of 99% of mobile malware, and while that figure is massively overblown (the vast majority of the malware is in third party stores, for example) the fact is that the platform is more open to abuse than its competitors.
Fighting for control
Google has started taking steps to address these problems. At the end of 2013, Google announced that Chrome will ban non-store hosted apps in an attempt to curb malware. The company has begun removing apps from the Chrome Web store if they are found to deliver malware. New policies mandate that apps must focus on delivering only specific functionality. But the game of whack-a-mole may not be one Google can win - further investigations have revealed numerous extensions which are tracking users, injecting ads or delivering malware.
A ground-up rethink may be required, and not just on Chrome. Android has already received capabilities to control individual permissions for apps (a feature iOS has offered for years), but it is not yet exposed to most users since the result is expected to be disruptive to the end-user experience: too many apps have come to rely on that broadly permissive approach. If that sounds reminiscent of the bad old days of Windows and IE, you would not be the first to draw the comparison.
Not just Google
Chrome and Android are under the spotlight but to be fair the problem is not limited to Google - IE was a popular target for years, with toolbar infestations galore. Many malicious Firefox extensions have been reported. The mobile phone ad-network subversion showed several vulnerable platforms. Malware purveyors are adept at identifying new channels, or reinventing old ones.
But Google has been showing a na"ive trust in developers: the same trust which pervades its Android app store, and the same lack of trust which prompted Apple to lock down its app store so rigorously and BlackBerry to mandate its own ad delivery mechanism for apps. That trusting openness runs through several of Google's products, and the growing patterns of abuse are prompting a bottom-up rethink of policies.
For enterprise security operations, controlling browser extensions is a particularly nasty headache, since the extension you vet and approve today may be sold to a malware author tomorrow. It is also a headache for developers: the ad networks you build into your apps or Web sites may be induced to attack your users.
Share