Adware Vendors Buy and Abuse Chrome Extensions

This is not a good development:

To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.

[…]

When malicious apps don’t follow Google’s disclosure policy, diagnosing something like this is extremely difficult. When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn’t notice that, the next step would have probably been a full wipe of my computer.

Tags: , , , , ,

Posted on January 21, 2014 at 6:33 AM42 Comments

Comments

mike~acker January 21, 2014 6:53 AM

when you are having trouble browsing it’s probably worth a try to start browser with add-ons disabled.

wiredog January 21, 2014 7:10 AM

Another reason to avoid Chrome. Some recent update causes it to continually ask for access to keychain on my Mac. There are buttons for “Allow”, “always allow” and “Deny”, but no way to disable it. Tried unchecking “Passwords” in Advanced Sync settings, but that had no effect.

Mike the goat January 21, 2014 7:27 AM

This made the news a few days ago. The real problem here is people allowing vendors to automatically update software without permission, whether it be a browser extension or an OS update. At least Firefox prompts and makes it abundantly clear what it is doing. As far as I know (from press reports as I am not a Chrome or Chromium user) the Chrome code just silently updates thus breaking the golden rule of updates – always ask the user.

Jim L January 21, 2014 7:44 AM

Suddenly Malwarebytes kept finding hundreds of exploits in my Chrome folders. While I most always use Firefox on my laptop, they kept coming back. This might explain it.

I uninstalled all non-Google extensions. We’ll see if that helps.

kingsnake January 21, 2014 7:46 AM

I’ve always said marketing is the 5th level of hell, and have never seen any evidence to disprove me. Rather the opposite …

name.withheld.for.ohvious.reasons January 21, 2014 7:47 AM

@ Bruce Schneier

This is not an uncommon event, many sites on the Internet that are either major traffic stops/spots and ISP’s are involved in some sort of undisclosed “capture”. Back in 1998 Blue Light, an ISP, had a monitoring tool that was quite sophisticated. 1.) MD5 encapsulated data for transport to home server
2.) Network protocol on top of HTTP/TCP
3.) Click stream monitoring, and “what else”?
4.) Server side stub, an EXE, had a host loader that decrypted the API (executable header and stub encrypted
5.) Effiecient application level protocol, keep alives and heart beats. Able to pass anything as far as I could discern.

Seems to have missed everyone’s radar.

Nothing new, just more crap.

A.Lizard January 21, 2014 7:54 AM

I thought the point behind Chromebook/ChromeOS was essentially Google-managed security. If Google is asleep at the switch, why bother?

LinkTheValiant January 21, 2014 9:09 AM

I saw one comment on the Ars article from a person by the name of Wickwick:

Imagine if they hadn’t been obnoxious about injecting noisy ads into every page. How about they silently download ads into a hidden part of every page? That’s easy enough to do with an extension. How about keylogging your interaction with your banking site and uploading that? Depending on what permissions the extension was granted when it was first installed it’s not out-of-bounds.

I’m inclined to agree. Serving ads is just the beginning. We will probably see a shift to more direct monetization of purchased extensions in the months leading up to a policy change.

Obviously now anti-malware vendors know to look out for stuff like this, but who knows just how much low-hanging fruit is out there?

Eric January 21, 2014 9:11 AM

I’m starting to ponder the possibility that money is just as much an attack vector as SQL injection or any of the other ‘traditional’ infosec attacks.

Similar to rubber-hose cryptanalysis, in a way–it bypasses all the usual technical measures and applies leverage to the people manning the system.

Probably should have seen the possibility sooner. At the very least, properties that are sold should have their certification revoked to prevent new updates with notification of the broken status.

Kinda hard to work around this attack. Everyone, as the saying goes, has a price.

Mike Amling January 21, 2014 9:24 AM

“I’m starting to ponder the possibility that money is just as much an attack vector as SQL injection or any of the other ‘traditional’ infosec attacks.”

It worked on RSA Security LLC.

Jacob January 21, 2014 9:35 AM

@ LinkTheValiant
Indeed a very potent attack vector. The guy on arstechnica said that they offered him a 4-figure sum for an extension that took him an hour to write, so he sold it to them.
The guys behind the cryptolocker malware et al could either buy or write their own benign, semi-useful extension, and on auto-update to inject their ransomware into their user base machines.
In one evening they could make 1000%+ return on their investment. Scary.

CallMeLateForSupper January 21, 2014 9:50 AM

So glad I didn’t get sucked into Chrome!

Here is another feechur (read “brain fart”) by Google, covered by The Guardian recently (10 January 2014):

“If you have a Gmail address – and more than 500 million people do – then you also have a Google+ account. Google will soon make it possible for people to email you just by searching for a name – even if they don’t have your email or know you.”
http://preview.tinyurl.com/l7h2pnl

Reportedly it is ENabled (check Settings in your Gmail account) by default. I despise the arrogance of those who push out auto-opt-in.

Gee, “what could possibly go wrong?” Well, for starters, I suspect there are many persoms with common names who will be getting mail from “old friends” who they do not, in fact, know.

Jockular January 21, 2014 10:44 AM

NXT focus should be android apps. Why do app developers ask the user for so many unnecessary permissions? If they can get them, developers’ll be able to sell their app for more $$$ to scammers or criminals.

Anura January 21, 2014 11:19 AM

You know, it’s amazing how good Linux distros are at giving you a ungodly amount of packages without having to worry about malware…

Somebody January 21, 2014 12:17 PM

“When malicious apps don’t follow Google’s disclosure policy, diagnosing something like this is extremely difficult.”

Not really. The difficult comes when every user has to diagnose it individually. If it only has to be diagnosed once, reported to Google and they fix it so that it complies with their policy (e.g. notifying users on what to uninstall or even forcing an update to something that eliminates the malware) then it’s doable. At the very least the problem can be kept in bounds.

The questions are “Do you trust Google?” and “Does Google want to be trusted?” At this point Google has reacted, so we’ll see if they do enough.

Jason January 21, 2014 1:08 PM

@jockular

The most common and worst android permission is “read phone status and identity”. It is almost always not needed. Apps can read your phone number, remote number when in calls, IMEI, etc. Google position of believing that users can and will evaluate the necessity of permissions is incredibly naive. All non-tech people I know just click past the screen without looking. Just like a terms of service. Google should manually evaluate apps requesting certain dangerous permissions.

The easiest place to find excessive permission offenders is flashlight apps.

Frustrated January 21, 2014 1:28 PM

And this is why Google’s hidden, forced, silent, anti-user automatic update system is so horrible. There’s no opportunity to intervene when an update goes bad. Chrome does it, Nik Software does it – I expect NEST will do it as well.

Firefox is almost as bad, but at least there you can turn it off.

Anura January 21, 2014 1:39 PM

@Frustrated
Silent auto update is one of the best tools for stopping the spread of malware, as too many people don’t update if it requires user interaction. The problem is with the poor management of apps.

If I was going to do it, taking into account the goal of the app stores (i.e. commission), I would have two app stores: the community managed app store for free and open source apps which has a no adware policy, based on community review and approval, and with all binaries compiled by the app system, and the paid app store with a strict privacy/advertising policy (e.g. in-app advertising only, no collecting of information not generated by your application) and a strict approval process.

N January 21, 2014 1:40 PM

@Ian
“apparently, new chrome extension attempts to protect you from it. Of course, there will always be a trust chain issue here…”

Yes, we’ll need a Chrome Protector Protector to protect our Chrome Protector. And so on…

Carl 'SAI' Mitchell January 21, 2014 2:53 PM

I don’t really see this as a problem with auto updates. There should be a notification that something has updated, but the user should not have to interact to get an update. Requiring user interaction makes patching security holes take significantly longer.

The best solution to things like this is a robust permissions system which blocks updates which change permissions until a user approves them, and allows users to deny an application/extension permissions even after install. Coupled with a web-of-trust system to detect malicious behavior this would prevent many such attacks.

Boris January 21, 2014 3:03 PM

This sort of thing is why Mozilla actually reviews changes to extensions before they get pushed out to users…

Czerno January 21, 2014 3:20 PM

@CallMeLateForSupper :
” If you have a Gmail address then you also have a Google+ account.”

I don’t think so. Actually I should know, i have a GMail address – half a dozen of them in fact – and not a single Google plus account.

You aren’t forced to open a G+ account when you create a Gmail box. In addition, users having a Google+ account can delete it online while keeping their any Gmail account.

In addition to the addition, people having Google+ account(s) aren’t forced at all to “connect” their browsing sessions to such an account if they don’t so choose. Connection to a google+ account may be useful to some roaming people who wish to synchronise preferences between different machines and don’t mind about giving their info to Google – but nobody is forced.
=Google not (so) evil ! =

Bryan January 21, 2014 4:03 PM

Money has always been an attack vector. It’s just one of the many reasons they say “follow the money.”…

Rabbits January 21, 2014 5:48 PM

Chrome settings for addons autoupdate are in the Preferences file (plain text file), which on Win platforms is in your “Application Data” (yes I know, I know, I KNOW) folder. In Chrome go to Tools – Extensions and turn on Developer Mode to see each extensions ID, for use in the Preferences file. This week anyway. I found out after I noticed Chrome no longer was asking whether to update but seemed to be autoupdating. All it took to find this information this was a search engine and keyboard.

Coyne Tibbets January 21, 2014 9:43 PM

It’s hard to get around this problem with Apps. Every App I look at requires “full network access”, and a good number of them demand off-the-wall things like camera, contacts, and other access. Even totally ridiculous things like “Flashlight”.

It’s like all the authors got together and decided to lay the groundwork for selling their app to an adware company.

It looks to me like it’s gotten so bad the only way you could operate is to go without apps; but everything you buy comes with a ton of non-removable apps (that auto-update) built in.

I’m on T-Mobile and their third-party Facebook app asked for:
– Read my messages (SMS or MMS)
– Set badges
– Read battery stats
– Add or modify calendar events
– Send email to guests without my knowledge (much less my permission)
– Read calendar events, including those marked “confidential”
– Read my contact card
– Full network access
– Manage internal storage
– Display system-level alerts
– Record audio
– GPS location
– Camera, to take both pictures and videos
– Learn what apps I’m running
– Add or remove accounts (!) and set passwords
– Directly call phone numbers; read the device state and ID incoming calls
– Read my call log, write to my call log
– Install shortcuts
– Change my wallpaper
– Download files without notification
– Receive/send internet data
– View my Wi-fi connections
– Change my audio settings
– Read my sync settings, and turn them on or off
– Reorder my running apps
– Run automatically at startup
– Find accounts
– Prevent the phone from sleeping

The only thing I could do is decline to install the update and disable the app. I can’t uninstall the app because it’s locked on the phone by T-Mobile. So from now on, I have to take care not to click update on that app, or it’ll take over everything.

SecResearch January 21, 2014 10:51 PM

Might be a good time to think of using another brower that does not have such policies and to be very careful of extensions and their functions.

Figureitout January 21, 2014 11:25 PM

When Tweet This Page started spewing ads and malware into my browser
Bruce
–This is why I think you should’ve resisted putting twit/f*ckbook buttons on the blog. How hard is it for people to copy/paste a URL? You have “2 clicks for permanent enable” but none for permanent disable besides censoring info and mutilating the internet experience.

Coyne Tibbets
–Goddamn, that’s making me mad not even having a smartphone…From the unapproved hidden updates to again like people are posting here, a practical flashlight app (actually became useful when power went out when working at a supermarket b/c it was pitch black) that all it needs to fcking do is output white pixels on a screen, it needed access to way too much. Then connecting to wifi networks again unapproved, shtty OS; and lastly suspected agents trying to egg me into renewing my smartphone so they could launch their scridddy-bitch attacks. Still got attacked on GSM/3G but they had to up their game for little payout.

Thomas January 21, 2014 11:32 PM

@Coyne Tibbets

sufficiently advanced incompetence is indistinguishable from malice.
and visa versa

Possibly the author of the app copied a hello-world/sample that simply asked for all permissions.

The sample is ‘simple’ so someone just learning isn’t inconvenienced by fine-grained permissions.

The implicit assumption that someone about to release an app should be competent enough to tailor permissions is perhaps a little optimistic.

65535 January 22, 2014 5:07 AM

Google sold-out their customers. I have lost all hope in Giggle and I am winding down my email account (I have not joined google+ but it looks like I will be forced to do so).

@Coyne Tibbets

Apps are just another vector of attack. I junked my iPhone (and they can have the one year plan – it’s not worth the invasion of privacy).

@n, Ian, Jason, frustrated and others

The trust is gone. Giggle and their minions monetize every aspect of your lives. Worse, I believe they sell your data directly to the government. I have switched to foreign search engines with https.

@Mike Amling

“I’m starting to ponder the possibility that money is just as much an attack vector as SQL injection or any of the other ‘traditional’ infosec attacks.”

‘It worked on RSA Security LLC.’

The sale of customer trust in RSA for $10 million makes me want to vomit. I am surprised that RSA has not been sued into the ground.

@Mike the goat

“…problem here is people allowing vendors to automatically update software without permission, whether it be a browser extension or an OS update. At least Firefox prompts and makes it abundantly clear what it is doing. As far as I know (from press reports as I am not a Chrome or Chromium user) the Chrome code just silently updates thus breaking the golden rule of updates – always ask the user.”

I would assume that Chrome has a lot of server side push-outs. It’s not a traditional browser. Given Google’s behavior regarding the appearance of SSL/TLS but allowing the “site” to be monitored via unencrypted Level 3 lines I have no trust in Google. Nor, do I trust server side apps which require high privileges.

As for Firefox, I am wondering exactly how much Chrome/Chromium code is embedded in Firefox. I use Firefox but I am having second thoughts. It’s possible for ad on’s and such to be pawned. And, the releases of Firefox are shooting out faster than you can test them (and that is unsettling).

Autolykos January 22, 2014 5:27 AM

I fail to get the point of adware. Using this kind of super-aggressive advertising pretty much only sends the message “I’m a dishonest, rude slimebag.” in ten-foot-tall flaming capital letters. Not the kind of people I want to do business with.

Persmissions January 22, 2014 8:44 AM

@Jason: “All non-tech people I know just click past the screen without looking.”

It is also Google’s fault:

play.google.com should at least filter search results according to a given list of permissions. They don’t, so Google is accomplice of this new malware access.

Not so long ago, persmissions were at least displayed on each given app page (I talk about https://play.google.com/store/apps/details?id=application.package ) but Google has taken them out of these pages.

Now, you have to:
– Use the browser linked to your Android account (smaller screen)
– Click on the “Install” buttons, on each apps, to be given the chance to compare apps according to their permission.
– Sign Google plus up if you want to add a review stating “permissions: none ! I recommend.” to share your findings to others on play.google.com
– or sign up to http://www.androidpit.fr or equivalent to put such a review in a less known place.

Coyne Tibbets January 23, 2014 12:16 AM

@Thomas
Possibly the author of the app copied a hello-world/sample that simply asked for all permissions.

Note that this was the Facebook app. I doubt if they had someone that incompetent or new working on the thing.

I’m sure they’d tell me that they need all of these capabilities only so they can “make my life better”. Which is really perverse because they compulsorily deprive me of the right to decide what makes my life better, in exchange for their “service”.

If they were truly honest, they would say, “We offer this you this dispensation [not “service”, because it really isn’t] in exchange for your indentured servitude.”

Permissions January 23, 2014 4:40 AM

@Jason: “The easiest place to find excessive permission offenders is flashlight apps.”
@Coyne Tibbets: “good number of them demand off-the-wall things like camera, contacts, and other access. Even totally ridiculous things like “Flashlight”.
@Figureitout: “practical flashlight app (actually became useful when power went out when working at a supermarket b/c it was pitch black) that all it needs to f*cking do is output white pixels on a screen”

If you want a white board, try the app “White Board” https://play.google.com/store/apps/details?id=com.fisherss.whiteboard that do NOT request permissions (I am not its author Fisherss).
Didn’t have time to find another one though.
If you installed it, and have signed up to google plus, please comment about it with “permissions: none”.

If you accept to give permission to access camera, there are two flashlights that use the flash of the camera:
“Flashlight Free:No Permissions” at https://play.google.com/store/apps/details?id=com.humberto.flashlight
“Minimum Permissions Flashlight” at https://play.google.com/store/apps/details?id=com.yfzhang.cameralight

I found these three apps with the search “permission” in Google play.

Figureitout January 23, 2014 8:05 PM

Permissions
–Nice, but I’m that weird guy who doesn’t currently own a smartphone (unless a job mandates it, then I’m forced to have one). I have a laser pointer (who doesn’t want a laser?) w/ a light on it which would be plenty in an actual emergency. They’re not worth the cost at the moment, rather walk w/ my head up and use a laptop/desktop or read a book; and limit functionality on such an exposed device.

JelloBarista January 27, 2014 5:09 PM

@Figureitout
” –Nice, but I’m that weird guy who doesn’t currently own a smartphone (unless a job mandates it, then I’m forced to have one). I have a laser pointer (who doesn’t want a laser?) w/ a light on it which would be plenty in an actual emergency. They’re not worth the cost at the moment, rather walk w/ my head up and use a laptop/desktop or read a book; and limit functionality on such an exposed device.”

I’m the same way. Plus I use disposable service/phones. The problem is one of when it is mandated by a job or other circumstance and it becomes muscle memory. It erodes discipline. Of course, self-discipline is in short supply these days.

Figureitout January 27, 2014 11:04 PM

JelloBarista
I’m the same way
–What’s funny is if so we’ll likely never meet b/c it may trigger certain “no-no’s” and flags. Yeah I don’t take my OPSEC as seriously as I used to; and when you got agents whose sole job is to sniff your backside you’re just giving them a reason to exist. I say if you’re going to do it, go the full 9 yards, and you should be sleeping somewhere different every week, visual disguises, different gaits/voice traits/timing, use proxies or exchange bills for services, same for computers. Once you’re done doing just that (your trusted network can always be subverted so best not to talk to anyone), trying to go to work and make money to live is kind of out of the picture unless you’re drug dealing, doing a hitjob, conducting/evading surveillance for money, etc. Fun life…if you don’t die from some scumbag, you’ll die on the inside from the lifestyle. Glad I never got that deep and never touching that sh*t again. I’m perfectly happy to use a breached system, so long as the data is encoded prior to entry. Few to no one is willing to exchange OTP’s and take it seriously, and it really wastes a lot of time.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.