Over 20 Million Users Installed Malicious Ad Blockers from Chrome Web Store

Security researcher Andrey Meshkov has discovered five malicious ad blocker extensions in the Google Chrome Web Store, which have already been installed by at least 20 million users. According to Meshkov, these malicious extensions are copies of legitimate and popular ad-blocking tools. The creators of these extensions also used popular keywords in the names and descriptions of their apps to boost their rankings in search results, thereby increasing the number of potential users.

“All the extensions I found are simple copies with just a few lines of code added by the authors,” Meshkov noted.

After the expert reported his findings to Google, the company immediately removed the following malicious extensions from the Chrome Web Store:

• AdRemover for Google Chrome (over 10 million downloads)
• uBlock Plus (over 8 million downloads)
• Adblock Pro (over 2 million downloads)
• HD for YouTube (over 400,000 downloads)
• Webutation (over 30,000 downloads)

Upon analyzing the AdRemover for Google Chrome extension, the researcher found malicious code hidden inside a modified version of the jQuery library. This code sent information about some of the websites visited by the user to a remote server. The malicious extension then received commands from the server, which were executed on the background page and could affect the browser’s operation.

To avoid detection, the commands sent by the remote server were hidden inside what appeared to be a harmless image.

“Essentially, this is a botnet made up of browsers infected with fake ad blockers. The browser will do whatever the server owner commands,” Meshkov added.