Imagine you need to find a malicious browser extension that disguises itself as a legit one, like an ad blocker. How would you do it? Here's a tested and trusted method:
Some fake extensions in Chrome Web Store...
...and some more of them...
...and what do you know, more of them!
Of course, somewhere along the way I click the 'Report abuse' button and let Google know about my findings. And, you guessed it, nothing gets done. These extensions keep occupying top positions in the Store and doing their dark deeds. Maybe I just need to wait more, like a month? But I'm afraid during that month a couple hundred thousands more users will get hurt.
Let's try to understand what's wrong this time.
And this time, there are three distinguishable groups of browser extensions.
And you know what else is important and relevant for most of these extensions? At any point, WITHOUT ANY UPDATES they can change their behavior and start doing whatever. The trick is they are using third-party code loaded from a remote server and controlled by their owners. This code may be changed any time, no reviews or updates are required.
Let's look deeper into each of aforementioned cases.
Here's a couple of popular examples from this group:
As you can see, authors aren't spending sleepless nights trying to come up with a witty name.
This is the most large-scale group of malicious extensions from my experience. It includes 295 extensions with total number of 80 million users if we're to believe Chrome Web Store data. This group is especially curious because of the measures they take to conceal their actions.
Note that fake ad blockers is just a small part of this group. It consists of all kinds of extensions, but the biggest part are all kinds of "wallpaper" extensions. Also, I am sure there are actually more extensions like this, and CWS team will be able to find them all.
They are perfect specimens to illustrate the 'botnet' thesis as well — they don't become malicious right away but only after receiving a signal from a remote server. Every such extension loads a seemingly harmless script with 'analytics' from
fly-analytics.com. The snag is, just you wait a couple days and this script will 'evolve' a bit:
You don't want to see your browser extensions do that
Keep in mind, it will only transform for you personally — any other person will see the same old harmless script. The thing is, the malefactor's server tracks your browser's cookies and only inserts malicious code for users it can recognize. But don't you decide that these are measures to hide a spooky script, I've got more for you. It will get so much more interesting.
The part of the code that was injected into the pseudo-analytics script does a very simple thing: it adds an obfuscated script into every freshly opened tab. I troubled myself with preparing a decrypted version.
What this script does:
lh3.googleusrcontent.comdomain. Notice that this domain has nothing to do with Google, this name is only to further confuse the potential observer.
The full list of extensions from the first group can be found here.
There are only 6 extensions in this group, with just over 1.5 million users total, but I'm almost 100% sure that all of them are real active users.
The purpose of these extensions is ad fraud via the technique known as "Cookie stuffing". At some point these extensions receive a command from the command server and start silently setting special "affiliate" cookies. For instance, when user visits Booking.com, they set their "affiliate" cookie so when the user makes a purchase, the extensions owner will be paid a comission by Booking.com.
I won't get too technical, it has been all already done last year. What I was absolutely appalled and disappointed by is that these extensions use exactly the same code as the bunch I exposed in 2019. It's a pity that Google, with all their love for automatization, can't automatically weed out such browser extensions.
Extensions from this group don't do anything malicious so far.
Nevertheless, I feel it's my duty to mention them. Just mere months ago Google announced a stricter policy to fight spam in Chrome Web Store:
We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.
However, I see that Chrome Web Store is getting flooded with fake popular extensions clones with undeniably cheated number of active users (it becomes obvious when you compare the total number of users to the number of app reviews). How is it so, legit developers suffer from the overcomplicated review process, and at the same time the problem (that such strict review guidelines were meant to solve in the first place) keeps showing its ugly face time and time again?
Let's see into few cases of such spam.
UPD: Adblocker for YouTube™ has plummeted down to 80,000 users — speaking about fake users.
What unites all these browser extensions?
Now let's get to the next issue — how can we rid CWS of these extensions? In the past there was no standard way to do this. Well, there always was the "Report Abuse" button which anyone could use. The problem with that button is that it doesn't lead to any result. The only reliable way was to publish a blog post and wait until it gets some traction, and only then the extensions were "magically" removed from CWS. Not ideal at all.
Last year Google included Chrome extensions into their bug bounty program. Sounds like a good way to get to the right people in Google so that's exactly what I did this time. My report on extensions from the first group was accepted, and some investigation has been started. Also, it appears that extensions from the second group were reported earlier.
However, three weeks have already passed since then. Most of these extensions are still available in CWS and there are more and more users installing them. Moreover, some of them are getting reported by users and there's no reaction from Google. I am not sure it's justified to continue putting users at risk even for the sake of investigation.
And I have no clue where to report extensions from the third group. As we learned before, the "Report Abuse" button does not help and I don't know any reliable way to reach out to the CWS review team.
Let me get it straight this time: Google fails with managing Chrome Web Store and keeping it safe. As a response to the previous negative experience (examples: 1, 2), review process emerged, and CWS policy has become significantly stricter.
But, for some reason, the results are not too good. Legit developers pray for help on the official Chrome Extensions forum, popular extensions are threatened to be removed left and right. And at the same time, I watch as the situation with malicious extensions goes down the drain!
To be fair, Google did do one thing right — they introduced a position of Chrome Extensions Developer Advocate. It's a living person that we, developers, can address various issues to, and they in fact take their job seriously, provide absolutely invaluable help and always give developers a hand. So thank you!
I am pretty sure that CWS is managed by smart and reasonable people and I see that they are honestly trying to improve the situation. Enforcing CWS policies and keeping it safe is not an easy task and it requires skills and time.
The problem is that at the time of submission these extensions were not violating any policies. However, since remote code is allowed on CWS, they are able to change their behavior at any moment. This issue will partly go away when extensions migrate to Manifest V3, but even in this case malware authors will still be able to use techniques like steganography to trick reviewers.
Short-term, it'd help if CWS provided a channel for feedback about malicious extensions that actually works. I am happy neither with how Vulnerability Reward Program works (three weeks, extensions are still up) nor with the "Report abuse" button.
Long-term, maybe instead (or in addition) to reviewing extensions it's time to start "reviewing" developers? Instead of just asking for a $5 fee, make them provide and confirm some basic personal information (for instance, legal name and address).
Generally speaking, the rules of 'personal hygiene' in Chrome Store haven't changed since the last time I addressed this problem.
Will anything change for the better this time? Past experiences left me a pessimist, but here's hoping!