Faux Apps Found Hijacking Chrome, Spamming Tumblr

A flurry of fake, ad-laden Angry Birds lookalike games have flooded the Google Chrome Web store of late. The online marketplace where Google sells extensions and games for its Chrome browser has seen an influx of games mimicking “Bad Piggies,” a new game Rovio Entertainment recently released that puts a twist on its ubiquitous Angry Birds game.

A flurry of fake, ad-laden Angry Birds lookalike games have flooded the Google Chrome Web store of late. The online marketplace where Google sells extensions and games for its Chrome browser has seen an influx of games mimicking “Bad Piggies,” a new game Rovio Entertainment recently released that puts a twist on its ubiquitous Angry Birds game.

At least seven of these games — “Angry Birds Bad Piggies,” “Angry Birds Space HD,” etc. — require the user to relinquish access to all data on all websites, according to research headed up by Barracuda Networks. In an entry on the security firm’s Internet Security Blog, research scientist Jason Ding notes that all of these games are being distributed by the same site: playook.info. After installation, the games insert their own advertisements into popular websites.

Barracuda found that after deploying the games in a test environment, they inserted advertising from playook.com into sites like Myspace, eBay, IMDB, Yahoo and MSN among dozens of other sites on the Chrome browser.

Collectively, as of Thursday afternoon, the apps have been downloaded by nearly 89,000 Chrome users.

Clearly, attackers are continuing to entice users into granting complete access to plug-ins, games and extensions without reading the applications’ permissions first.

Security firm GFI Labs spotted a rogue Tumblr app disguised as a “profile stalker” this week that’s been conning users in a similar fashion. According to a post on the company’s blog, users are installing the app under the assumption it will allow them to see who is viewing their blog the most. In actuality, installing the app grants the app “read and write access” to the user’s Tumblr account.

If installed, the app will go on to spam the user’s Tumblr until they either reset their “secret posting email address” or revoke the “profile stalker” app in Tumblr’s “Account Settings” panel.

Permissions — what applications can or can’t do, what information they have or don’t have access to — have long been a thorn in the side of mobile phone users. It appears that going forward users will have to remain as vigilant on their personal computers as on their smartphones until a better system for vetting applications on sites such asTumblr and Google Chrome, is introduced.

Suggested articles