20 million Chrome users downloaded fake ad blockers

Read time 3min 30sec
AdGuard uncovers fake adblockers
AdGuard uncovers fake adblockers

Twenty million Chrome users have been tricked into downloading and installing fake ad block extensions.

This is according to researchers at AdGuard, a Moscow-based vendor of ad-blocking and anti-tracking technology that uncovered the fake ad blockers.

AdGuard claims the Google Chrome ad block extensions are rip-offs of legitimate ad blockers that threat actors have embedded with malicious code to spy on users' browser activity.

Spam keywords

In order to get users to install the illegitimate ad blockers, the authors of the extensions used spam keywords and names that sound similar to popular, legitimate extensions, such as `Adblock Plus Premium' and `Adguard Hardline'. This also caused them to rank higher in Web searches.

Upon scrutiny of the five most popular fake extensions, AdGuard researchers said the least popular extension was downloaded approximately 30 000 times, and the most popular, over 10 000 000 times. In total, more than 20 million Google Chrome browsers were infected.

Following the report, Google removed the fake extensions, which were disabled on Chrome instances with them installed.

A 'massive' botnet

The most popular of the fake ad blockers was AdRemover for Google Chrome, which essentially put a massive botnet of infected browsers at its authors' disposal.

Speaking of how AdRemover works, Andrey Meshkov, co-founder of AdGuard, says it hides malicious code inside a well-known javascript library, which sends information about some of the Web sites the user visits back to the author's server. It receives commands from the command centre remote server, and in order to avoid detection, these commands are hidden inside a harmless-looking image.

However, he says, these commands are scripts that are then executed in the privileged context and can change the user's browser behaviour as it chooses.

"Basically, this is a botnet composed of browsers infected with the fake ad block extensions. The browser will do whatever the command centre server owner orders it to do," he adds.

According to him, the main issue is that extensions aren't thoroughly vetted by the Chrome Web Store.

A matter of trust

Weston Henry, lead security analyst at SiteLock, says browser extensions are sensitive little pieces of software. "Once installed, an extension can introduce vulnerabilities into the browser or system, collect and change a user's browsing data, or be compromised itself."

Henry says users should vet extensions by verifying the developer is reputable and responsive, and that the extension's description and presentation are professional with proper language use. "Reviews and recommendations from reputable tech sites are a valuable resource to help vet extensions."

Extension security is about trust, adds Henry. "A secure extension will use the minimum permissions required to function. However, that could still mean complete visibility of a user's browsing data. Like so many other parts of our lives, we put trust in the people and systems with which we interact. Users must practise the same discernment with other systems as they do when using the Internet."

A 'close relationship'

Andrew Proctor, VP of Operations and IT at OpenVPN, agrees. "Ad blockers have a very 'close relationship' with the Web browser. They can typically see the actual data you load in your Web browser and purposely manipulate pages loaded in Chrome to remove ads and trackers."

Fake ad blockers can typically manipulate pages in any manner they want and can inject any type of content they choose, be it malware, clickjacking scripts, or similar. "Users of ad blockers can better vet the ones they use by checking to see if they are open source, who the developers are and track the history of the developers/companies developing them," concludes Proctor.

Login with