Chrome Extension Add-ons That Are Malicious And Hard To Remove

chrome extension

One Chrome extension has brought Google’s policy of keeping malicious add-ons available for download in question.

Media reports have just revealed that the very popular Google Chrome now allows people to install Chrome extensions which are malicious.

And incredibly hard to remove.

Some security experts feel that it is almost impossible to remove such types of malicious Google Chrome extensions.

There is no doubt about the fact that Google Chrome is a highly secure web browser.

In fact, apart from Mozilla Firefox, there isn’t a single web browser that comes close to Google Chrome in terms of security.

But even with all that, Google Chrome’s extensions remain its Achilles heel.

Malicious Google Chrome extensions are doing all they can to prove once again that even though one could argue that Google Chrome is the most secure browser on the market, it still has its flaws.

And the biggest of those flaws comes in the form of malicious Chrome extensions.

Now, a researcher has managed to document a particular malicious Google Chrome extension or an add-on, that specifically targets, or rather tricks online users into installing the said malicious Google Chrome extension.

And then the malicious Google Chrome extension lodges itself deep into the user’s system.

According to the researcher who found the malicious Google Chrome extension, the extension in question is almost impossible for users to manually uninstall.

Until last Wednesday, Google servers had made the extension available for download.

So what’s wrong with that?

Nothing.

Except for the fact that about 19 days prior to that, someone privately reported the malicious Google Chrome extension to Google security officials.

That is what the researcher has revealed.

The researchers also pointed out that once the user had installed the Google Chrome extension, an app by the name of “Tiempo en colombia en vivo” prevented Google Chrome users from accessing their official list of installed Google Chrome extensions.

The app basically redirected Google Chrome users’ requests from chrome://extensions/ to chrome://apps/?r=extensions.

As most of the Google Chrome users would know that it is the chrome://extensions/ page that actually lists all the official extensions that the user has installed on his Google Chrome web browser.

The chrome://extensions page also provides an interface to the user for uninstalling Google Chrome extensions.

Moreover, the extensions page mentioned above also allows users to temporarily disable Google Chrome extensions.

Pieter Arntz, a researcher at Malwarebytes, informed reporters that he experimented with several different hacks in order to get rid of the malicious Google Chrome extension.

But all of his methods failed.

Pieter told reporters that he tried to disable Javascript in his web browser but that didn’t work.

He also restarted Google Chrome and disabled all extensions.

But that didn’t work either.

Moreover, Pieter also tried to rename the folder where Google Chrome usually stores its extensions.

Unfortunately, that method didn’t give the desired results.

Pieter pointed out that removing the malicious Google Chrome extension provided very difficult.

In fact, too difficult according to Pieter.

He said he ultimately had no choice but to advise all users affected by the malicious Google Chrome extension to run the official and free version of Malwarebytes.

After installing Malwarebytes and running a quick scan, according to Pieter, users should have no problems with the extension because Malwarebytes would automatically remove the malicious Google Chrome add0on.

Pieter Arntz further tested the malicious Google Chrome extension by installing it on a test machine.

Arntz observed that his Google Chrome web browser spontaneously started to click on more than a dozen of videos on YouTube.

This gave him an indicated that this malicious Google Chrome extension had the ability to inflate the number of views for any YouTube video.

Perhaps this is a good time to mention that Pieter hasn’t really ruled out other forms of malicious activities that this malicious Google Chrome extension could carry out.

Why?
Because the malicious Google Chrome extension had a huge amount of obfuscated Javascript.

And Pieter found a comprehensive analysis of the extension a bit too time-consuming.

However, the researcher did manage to provide additional details on the malicious Google Chrome extension last Thursday.

He published his findings in a blog post.

chrome_extensions

The Chrome extension that the researcher found to be malicious was Tiempo en colombia en vivo

To view the blog post click here.

Google did take their sweet time to remove the malicious extension.

The malicious add-on, Tiempo en colombia en vivo, managed to rack up more than 11,000 installs.

Only then did Google noticed the malicious app and decided to remove it.

According to the researcher, the app may have managed to found its way into the systems of many more computers.

Why?

Because hackers are now using new techniques to infect people with malicious code.

There are a ton of abusive websites which use a new technique where they trick new and inexperienced internet users into installing malicious extensions.

Back in the latter half of 2016, Malwarebytes explained with the help of an official blog post that abusive websites made use of forced install tricks.

These tricks utilized Javascript to open up a dialog box within the web browser which instructed visitors that they must install the said Chrome extension before the website would allow them to leave the current page.

If the users tried to close the tab or click cancel, the page produced an unending series of messages that basically represented the same message with subtle variations.

Arntz also mentioned that he went ahead and report the malicious extension to Google privately.

He did that on December 29.

Arntz also told mentioned that despite his efforts, Google left the malicious app available for download on the official Google Chrome Store until last Wednesday.

The searcher also added that he had also found a similar Firefox extension which resisted any and all user attempts to uninstall the Firefox extension in question.

With that said, the researcher found the solution to bypassing the uninstall block relatively easily.

Pieter also informed readers that he had yet to come across any indication that the Firefox Extensions store made the malicious Firefox extension available or not.

And Malwarebytes isn’t the first security firm that has managed to come up with findings on these malicious Google Chrome extensions.

In fact, Malwarebytes’ findings actually came a couple of days after a different security firm unearthed a total of four other malicious Chrome extensions.

These Google Chrome extensions had managed to rack up more than 500,000 Chrome extensions downloads.

And all of those downloads came via the official Google Chrome Web Store.

ICEBRG, another security firm, found an extension which malicious actors used in a decently sized click fraud scheme.

Of course, that is not all.

Company researchers also said that hackers could have easily used these malicious Google Chrome extensions to launch even more nefarious attacks.

Fortunately Google did go ahead and remove the malicious extensions.

But it only did so after ICEBRG reported the malicious Google Chrome extensions to Google privately.

Ars-Technica reporters emailed Google officials last Thursday with a couple of questions they had about recent revelations.

The questions were as follows,

  • Did the information that came out of Malwarebytes official blog have any accuracy?
  • If the information from Malwarebytes is correct then how come it took Google around 19 days to take notice and then remove the malicious Chrome extension from the Google Chrome Store?
  • A researcher who studied the malicious Chrome extension managed to determine that the Chrome extension had the ability to inflate the total number of views on many YouTube videos.
    The researcher also revealed that the amount of obfuscated javascript that the extension contained prevented him from studying the extension further to know if it spied on Chrome users or not.
    According to the researcher, the Chrome extension could also carry out other malicious activities as well.
    Has Google spent a bit of time in determining if all of that is true or not?
    And has Google analyzed the extension in order to see what the malicious extension did to Chrome users?
    And their computer machines?
  • What has Google done to notify users who have already installed the malicious extension?
    Has the company provided them any assistance in removing the malicious Google Chrome extension?
  • Has the company instructed Google Developers to come up with a plan in order to redesign Chrome Web Store in order to make it easy for everybody to remove abusive or malicious extensions?
  • As a company, what is Google doing in order to make sure that it is able to prevent abusive and malicious extensions from advertising in Google Chrome Store in the future?

As it turns out a Google spokeswoman did respond after Ars Technica reporters had sent the company with the above-mentioned questions.

The official statement said that the company had automatically removed the malicious app by the name of Tiempo en colombia en vivo.

The spokeswoman also said that the company had also removed Play Red Bull version 4.

Moreover, Google had also removed these extensions and add-ons from the affected Chrome user machines.

The statement also said that Google considered security as the core tenet of its web browser, Chrome.

And because of that, the web browser had the capability to automatically block thousands of abusive and malicious extensions per month.

Additionally, the company representative said that the company faced a bit of difficulty in manually removing the malicious Chrome extension.

google

Google responded very slowly when it came to removing the malicious app.

And part of the reason for that to happen was because of its logo.

The malicious Chrome extension had a square logo and used the exact same color scheme as the official Chrome toolbar.

The addon used identical colors and hence prevented users from actually seeing the official Google Chrome Omnibox.

Chrome’s Omnibox is an important feature from where users can remove extensions that they don’t need.

Google’s spokeswoman did not address other questions that Ars Technica had sent the company.

The company didn’t do so either on the record or on background.

Most of the time company officials try to exclusively communicate with media reporters on background.

They do this to take advantage of the condition which allows them protection against a media source quoting them or naming them.

More On The Malicious Chrome Extension

James Oppenheim who works as an editor of a children’s games review site emailed Ars Technica to report another one of these malicious Chrome extensions.

He also reported that Chrome Web Store did not remove these malicious extensions just as it didn’t do so in the case of tiempo en colombia.

James also mentioned that he made attempts to make Google remove those malicious extensions.

Ars Technica, after receiving James permission to publish his email communication with the news publication, reported on the issue as well.

James wrote to Ars Technica to inform them about malicious Chrome extensions in a response to their piece on the subject.

He told Ars Technica that he covered family technology for his site by the name of jamesGames.com.

James had apparently contributed to Today Show and had appeared on SiriusXM as well.

malicious_chrome_extensions

Since the mobile version of Chrome doesn’t have add-ons, Android and iOS users don’t have to worry about anything. Yet.

He further added that about eleven days prior to him writing the email to Ars Technica he had received an offer to buy his own extension.

The extension was called Play Red Bull version 4.

A fellow Indian by the name of Ganesh had sent him the email.

The only problem with the email that caught James eye was that he had never written an extension.

James initially tried to ignore the email thinking that it was just a spam email message gone wrong.

Hence, James did not respond to the email.

With that said, Ganesh turned out to be quite persistent.

And by the time he had sent the third email to James, James felt he started to use an insistent tone.

In other words, James realized that the email wasn’t really spam.

It was human-generated.

Subsequently, James decided to use Google and search for the extension he thought he might have written.

James then mentioned that he did find the Chrome extension by the same name.

It was actually a game.

More interestingly, the extension had a similar name to many of his children’s software applications.

James decided to click the Chrome extension page.

And indeed the page showed his site as the extension’s official site.

It also listed James Extensions as the developer of the app.

And again linked to James official website.

The app had managed to garner four out of five-star rating on the Chrome Web Store.

But when James read the comments for the extension, it turned out that the program was actually a malware.

Then it appeared to James that whoever published the Chrome extension actually knew a lot about him.

Enough for him to know that James did for a living.

google_chrome

The Chrome extension in question affected many more users than what the researcher originally thought.

And to think that by using James’s name on his malicious extension, he would be able to gain more trust on Chrome Web Store.

James wrote a comment on the malicious Chrome extension’s page.

And then he moved ahead to write to Google about the problem.

James reported the extension via the reporting button.

He also asked Google to take down the application.

At the least, James asked for Google to remove his site’s address from the applications page.

A week passed and James did not see any progress.

He didn’t even receive a response.

James also told Ars Technica that even when he checked again after a couple of weeks had passed, Google Chrome Web Store still offered the malicious extension.

Presumably, the malicious app has managed to rack up around 27000 users.

At least that is what the official extension page says.

James wrote to Ars Technica that he wondered about how serious Google took complaints coming via the reporting button on its Web Store official site.

He also mentioned that he couldn’t find an easy way to get through to anyone important at Google.

Towards the end, James requested Ars Technica to help him out and get a story out on the issue.

James still had not responded to Ganesh’s proposal.

Moreover, he also wondered if Ganesh’s offer was indeed legit.

Or just another way to get James to check out the malicious apps official page.

Maybe Ganesh wanted James to see that the app had used his name.

And maybe he wanted James to request him to remove his name from the app in exchange for a sum of money.

Of course, there is always a chance that James had gotten paranoid about the whole situation.

But this doesn’t change the fact that James had a bizarre experience.

Conclusion

Google would, of course, defend the company’s name by saying that it is indeed the internet’s most secure and widely used web browser.

And because of that, hackers want to target this web browser the most.

Moreover, the actual number of Chrome users who actually do wind up installing these malicious add-ons represent just a small portion of the overall user base.

That doesn’t change the clarity of the message though.

Chrome indeed has an industry-leading security sandbox.

Moreover, it is also the quickest when it comes to security updates especially if we compare it to the rest of the major web browsers.

Despite all of that, its extensions component remain its key weakness.

 

Zohair

Zohair

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Zohair

Latest posts by Zohair (see all)

COMMENTS

WORDPRESS: 0