AdGuard, a provider of ad blocking programs, revealed in their blog in April that approximately 20,000,000 users of the Google Chrome web browser had downloaded fake ad blockers that likely contained malware. These malicious ad blockers were available on the Chrome WebStore and were often clones of legitimate ad blocking applications. These duplicate programs utilized the names of the originals to capture keyword search traffic in the WebStore.
The practice is nothing new according to AdGuard, which claims that Google has periodically overlooked potentially malicious ad blockers featured in their web store. These programs were also routinely poorly vetted, and Google often took considerable time to remove them, which gave the malware additional time to proliferate among users. Many of these fake ad blocker extensions were downloaded by thousands to millions of users before they were removed.
The creators of the ad blockers used code from existing applications and modified key portions to allow themselves to directly access the data of users who downloaded the program. In addition to spamming the WebStore descriptions of these products with keywords, they often leveraged modified names of the original programs (adding additions such as “Plus” or “Pro” to the title) they were copied off of to trick users into believing they were simply upgraded versions. Several of these malicious ad blockers had tens of thousands of downloads per program, with the largest being AdRemover at over 10 million users.
AdGuard found that AdRemover contained scripts hidden within an image file that would allow whoever designed it to track websites users had visited and even affect their web browser’s behavior. These types of fake ad blockers connect the infected computer to a command server that can control the machine remotely.
Third party applications are one of many avenues attackers use to exploit vulnerable digital touchpoints and breach further into the system. Hackers can leverage the need to utilize the Internet to fulfill organizational tasks to place malware traps in popular tools, such as Chrome extensions or company emails. Protecting a network against these threats requires both proactive and reactive defense measures, such as scrutiny when surfing the Web and regular examinations of your system.
Contact us if you would like to learn more about protecting your network against malicious third party applications.