Spammers buy Chrome extensions and turn them into adware

Two developers who sold their popular Chrome extensions saw them misused for aggressive advertising

Changes in Google Chrome extension ownership can expose thousands of users to aggressive advertising and possibly other threats, two extension developers have recently discovered.

At least two Chrome extensions recently sold by their original developers were updated to inject ads and affiliate links into legitimate websites opened in users' browsers.

The issue first came to light last week when the developer of the "Add to Feedly" extension, a technology blogger named Amit Agarwal, reported that after selling his extension late last year to a third-party, it got transformed into adware. The extension had over 30,000 users when it was sold.

A second developer, Roman Skabichevsky, confirmed Monday that his Chrome extension called "Tweet This Page" suffered a similar fate after he sold it at the end of November.

Skabichevsky accepted an offer to sell the simple extension for $500 because he didn't have time to improve it anymore.

"A woman named Amanda who contacted me said they wanted the extension 'for further development'," Skabichevsky said via email. It was weird because the extension's code is open sourced so anyone can work on it, "but I sold it anyway, thinking it would be better for the world. I was so wrong!"

Agarwal's story is similar. He sold his extension for a four-figure sum after being contacted by a woman.

"A month later, the new owners of the Feedly extension pushed an update to the Chrome store," he said Thursday in a blog post. "No, the update didn't bring any new features to the table nor contained any bug fixes. Instead, they incorporated advertising into the extension."

"These aren't regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links," Agarwal said. "In simple English, if the extension is activated in Chrome, it will inject adware into all web pages."

Converting a trusted and popular extension into an aggressive advertising tool is more efficient for adware pushers than creating an extension from scratch and building a large user base they can later target, because it brings a quicker and most likely bigger return on investment.

The "Add to Feedly" and "Tweet This Page" extensions have been removed from the Chrome Web Store this weekend, supposedly by Google. However, the company did not immediately respond to a request for comment.

It's not clear if any other extensions from the Chrome Web Store were resold and exhibit the same behavior.

According to the Chrome Web Store developer program policies, advertising is allowed in apps hosted in the store, but there are strict criteria for displaying ads on third-party websites: the behavior needs to be clearly disclosed to the user, there needs to be clear attribution of the ads' source, the ads must not interfere with any native ads or functionality of the website and the ads must not mimic or impersonate native ads or content on the third-party site.

Chrome extensions are generally updated in the background without user interaction, unless their permission requirements change. The problem is that many installed extensions already have the permission allowing them to modify content on Web pages visited by users.

In the two reported cases the existing extensions were modified and used for aggressive advertising. However, the same technique can be used for more nefarious purposes.

"They could do worse like creating spam tweets on behalf of the extension users, or steal information from opened web pages," Skabichevsky said. "The extension was using my old Twitter API keys and I just reset them."

Using extensions to distribute malware directly is unlikely because Chrome scans downloaded binaries and flags the suspicious ones, said Zoltan Balazs, the CTO of IT security research firm MRG Effitas, via email. Even if they pass the scan, launching malicious binaries automatically would only be possible through a Chrome zero-day exploit and finding such an exploit is not a trivial task, he said.

Balazs researched the security risks posed by browser extensions before and even released proof-of-concept malicious extensions.

"My opinion is that dropping traditional malware is not a real threat here, but performing form injection, password stealing, cookie stealing for bypassing two factor authentication, credit card information stealing and launching distributed denial-of-service attacks using the browser as a proxy are actions that can be done via malicious extensions," he said. "I believe criminals buy extensions that already have a lot of permissions."

"Chrome add-ons can inject scripts into web pages so they can possibly do nasty things though there are no known case of them spreading malware yet," Agarwal said Monday via email.

The developer believes there should be an audit process in place on the Google Chrome Web Store like there is on the Mozilla Add-ons repository. There should also be a feature that allows users to figure out what a particular extension does to the websites they visit, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsonline safetyGooglesecurityMRG Effitasbrowserssoftwarescamsmalwareprivacy

More about GoogleMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place