Chrome extensions being bought out by malware vendors in order to peddle malicious updates

Recently, malware vendors have been purchasing popular Chrome extensions in order to distribute malicious code, adware and malware to every user of the extension.

According to ArsTechnica, the danger lies in Chrome's 'silent updates': Google designed Chrome specifically to be smooth and noninvasive, which means silently updating browsers and extensions without a hitch. But it also means that users aren't told when ownership of an extension is transferred to another company - so they're left in the dark if a malicious vendor suddenly decides to push dangerous updates.

And as it turns out, exactly that has been happening. Adware vendors are purchasing popular extensions and subsequently pushing out silent updates filled with malicious and invasive code to users' browsers. This was experienced firsthand by the developer of the popular 'Add to Feedly' extension: A mysterious buyer approached him and offered him a four-figure sum to transfer ownership of the extension that he had developed. When he took them up on their offer, the new owners pushed out an update which pumped the extension full of adware, leaving the extension's 30,000 users at the short end of the stick with potentially compromised browsers. 

This exact scenario has happened to plenty of other Chrome extension developers as well, and as its prevalence increases, users may find it difficult to properly diagnose and remove the compromised extensions. Since most virus scanners don't mark adware-filled Javascript as malicious, figuring out which extension is causing the problems may be difficult. And since Chrome syncs account data across all devices, a malicious extension downloaded on your laptop will also have to be deleted from your desktop - and your phone, tablet, and Chromebook.

The internet certainly isn't a novice to this sort of malware. A few weeks ago, Yahoo confirmed that some of the ads on its site were filled with malicious code - and even Google is aware of the issue, implementing 'malware detection' into a beta browser back in November. But as the Chrome web browser becomes more and more popular, the prevalence of folks looking to harm your computer and steal your personal information will certainly increase in turn.

Source: ArsTechnicaImages via Shutterstock (Hex Code), ArsTechnica

Report a problem with article
Previous Story

HP promotes Windows 7 PC sales; says they are "back by popular demand"

Next Story

Report: Ballmer likely to resign from Microsoft board when new CEO announced

45 Comments

Commenting is disabled on this article.

Couldn't Google also make a `popup` and `web page injector` permissions that would be noticed and must be approved before the update gets re-enabled?

(As they probaly should have from the get go when adding permissions)

Google loves malware! It's in their phones, browser and operating system. You think they would build to keep it out, but no they welcome it with open arms.

Unfortunate, but no big deal. Extensions are the only reason I use Chrome and FF. If you haven't used them, you can't really comment intelligently about their use and importance.

I have every confidence in Google and the Chrome team to fix this important issue. Chrome, for the most part, needs to stay the same. The only thing that needs to change is the way extension are updated. Even completely stripped of extensions, Chrome is still awesome. I'm sure this will get fixed.

Just keep a an eye on the extensions you use and the comments people say about them. Same thing with malware...just be smart on what you install.

techbeck said,
Just keep a an eye on the extensions you use and the comments people say about them. Same thing with malware...just be smart on what you install.

The problem here is that people were smart with what they installed, but it got updated later on down the road to be malicious. Turning viable, secure software into malware is pretty much the ultimate Trojan horse.

If one has to consistently keep an eye on stuff like this, what's the point of silent updates then? Why not show a prompt and a changelog and a handy gtfo button each and every time?

Should keep an eye out for these things anyway. Sucks this happens and will be a PITA for some. I use FF but I am sure its only a matter of time before they get hit as well.

How cute, a variation of the same thing developers do on Android.

(I was going to list how variations of this works on Android, but the list I was typing started becoming longer than the article above. Anyway, smaller developers gain permissions, and then use them for 'other' reasons in future updates or smaller developers are bought out and use the respectability of the original App to shove out malicious updates, etc.)

M_Lyons10 said,
I cannot believe Google thought this was a secure model...

better than an IE model where everything is vulnerable

justin76 said,

better than an IE model where everything is vulnerable

I see you're living in 2001. But here in 2014, IE11 is more secure than Chrome, and don't have serious flaws like this.

How do they expect the modified extensions to stay up in the store? This practice probably won't last very long!

" A mysterious buyer approached him." Neowin, how about extending yourselves from "unprofessional journalism" to professional, and do some research into all these companies that are in charge of all the Malware. You know, Conduit, MyPCBackup, and dozens of other douchbags that end up on the computers that all we geeks clean off from all our friends pc's every weekend. Expose these guys, publish the company addresses and phone
#'s, get on it.

Innocent Mom does a search for Google Chrome because her Bank won't update their website to work with IE 11 or whatever, and she ends up with the Chrome.exe malware downloads. No search for any software is safe on just about any search engine, even Bing and Google will both put Malware laden paid for links at the top of the list. WTF, and RT gets a bad name? These folks aren't stupid they are just average consumers, that shouldn't have to know any better.

jimmyfal said,
" A mysterious buyer approached him." Neowin, how about extending yourselves from "unprofessional journalism" to professional, and do some research into all these companies that are in charge of all the Malware. You know, Conduit, MyPCBackup, and dozens of other douchbags that end up on the computers that all we geeks clean off from all our friends pc's every weekend. Expose these guys, publish the company addresses and phone
#'s, get on it.

Innocent Mom does a search for Google Chrome because her Bank won't update their website to work with IE 11 or whatever, and she ends up with the Chrome.exe malware downloads. No search for any software is safe on just about any search engine, even Bing and Google will both put Malware laden paid for links at the top of the list. WTF, and RT gets a bad name? These folks aren't stupid they are just average consumers, that shouldn't have to know any better.

'

Yep they just click on the very first link. A great example of this is "Google Chrome" they usually click the ad, even though it says "Ad"

as long as it don't effect the major popular ones it won't really matter as i don't have many extensions installed but i do have some as you need some to get the browser to function more efficiently with closing tabs and scrolling tabs etc. i only have five extensions installed but would have been four if it had not been for Youtube etc switching to HTTPS which currently stops AD-Muncher from filtering content (since it does not filter HTTPS connections currently) and forced me to install ADBlock Plus back into Pale Moon x64 (basically a 64bit version of Firefox) in order to filter most junk from it.

Whoever designed/integrated the silent update mechanism needs to be found and shot or at least banged up a bit for designing/integrating such a security nightmare such as this.

Mate, this was a major feature of Chrome over say IE apparently. The fact it autoupdates everything, meaning you're always using the latest feature is considered a feature.

Microsoft doesn't do this, and is derided for it. Microsoft has a security first policy (Which this clearly isn't) and they're considered to be out-dated as a result.

Honestly, this isn't particularly special; I'm personally surprised it took this long to occur.

I wonder if there's a way to find out which ones have been sold recently. especially the popular ones with lots of users

How come Google has this bad software architects? You can say that it's hindsight, but software architect had to predict and avoid this. Do only programmers work there or something?

xendrome said,
Umm, one this isn't Googles problem/fault and two how exactly do you propose this be avoided?

How did they approve these updates?

xendrome said,
Umm, one this isn't Googles problem/fault and two how exactly do you propose this be avoided?

How is this not Google's fault? They push updates that they never vet to who knows how many consumer devices... It's their model and it's crap. Any code pushed to consumers should be vetted, and I would argue a notification should be made when the publisher changes...

xendrome said,
Umm, one this isn't Googles problem/fault and two how exactly do you propose this be avoided?

It's a security hole, therefore I think it very much is. As part of pen-test, numerous attack vectors had to be considered, especially regarding any third party code (extensions). How come that malware authors (and other pen-testers) are so often one step ahead of even supposedly the best developers, even without access to source code and documentation? It's not like they have more time or huge resources? But if they do, given the development of things - that malware is only getting more and more prevalent - I'd argue that much more resources should be allocated to software and system security audits both during and after development cycle. Except that it's bad business - flying by the seat of pants until something bad happens and then downplaying it all is much easier.

The second part requires some actual expertise. It would be rather ludicrous to think I could, without experience and in-depth knowledge, just come and announce a solution. I come up empty on this.

M_Lyons10 said,

I would argue a notification should be made when the publisher changes...

Any such transfer of control can be made without letting Google or anyone else not directly involved to know. For example, it is not necessary to change publisher at all. Sadly, there aren't any obvious solutions, say, regarding rigorous approval (other than manual), code signing and access rights.

I hope that there is at least a mechanism of certificate revocation in place so that invalidating such code would prevent this extension from proliferating. Chrome should on every run check any third party code for tampering and certificates for validity, and notify users about any errors. If they ignore it - their own fault, of course. Google would not be above implementing kill-switch, either.

Edited by Phouchg, Jan 20 2014, 12:13am :

Yeah, and also the only thing malware vendors can do because non-store extensions are banned and getting a malicious extension into the store is a difficult proposition. Google really ought to have predicted this as the next logical step.

Lord Method Man said,
Always enjoy the IE bashers with their "IE doesn't have proper extension support so I won't use it" drivel.

Enjoy your malware.

Yep exactly.

Lord Method Man said,
Always enjoy the IE bashers with their "IE doesn't have proper extension support so I won't use it" drivel.

Enjoy your malware.


My first thought as well.

I think Chromebooks will soon have malware as well because of this... Just a matter of time. If it doesnt have it already that is.

MASTER260 said,
Despite this, extensions are still an important feature.

I honestly think that their value is over-valued. Sure, some of them are extremely useful, but a lot of them..? Most of them seem to simply add settings and features that should already be a part of the browser or the website itself.

Lord Method Man said,
Always enjoy the IE bashers with their "IE doesn't have proper extension support so I won't use it" drivel.

Enjoy your malware.

And enjoy your websites not rendering properly or using HTML 5

sinetheo said,

And enjoy your websites not rendering properly or using HTML 5

Lol. Ok, well my sites I render with IE are fine and HTML 5 works great.

Actually, Chrome 32 broke some stuff that they fix in 33 so unless you are on the dev channel enjoy Chrome 32 errors =).

sinetheo said,

And enjoy your websites not rendering properly or using HTML 5


You might want to get a calendar, it's not 2009 anymore.

Lord Method Man said,
Always enjoy the IE bashers with their "IE doesn't have proper extension support so I won't use it" drivel.

Enjoy your malware.

Extensions are a valuable part of many people's browsing experience (mine included). It's a balancing act, the freedom to be able to extend your browser comes with the risk that malcontents will abuse the system and your trust. The same applies to locally installed applications on an OS too.

Any application that you allow to auto-update implies a trust that the publisher won't pull a dick-move like this The alternative is locking down the system and restricting what we can do with our own computers, which is a much less enticing prospect.

I don't see why people who enjoy extensions should have to "enjoy their malware", as you so eloquently put it. It's a problem for sure, but you sound bitter and resentful. Extensions are a core part of many people's browsing habits.

NoClipMode said,

Congratulations on making yourself look very stupid.

And I just went to my banks website with IE 11 and it didn't work. IE is not only not compatible with W3C but itself apparently. Which is why we are locked at IE 8 at work. IE can't display thing right, but Firefox works fine with all but 1 app.