Google scrambled this week to remove a malicious Chrome extension from its store and users’ machines after a popular Twitter account disclosed the issue publicly. The incident ramped up again one day later when the developers were able to get two other shady plugins past Google’s defenses before those were removed.
The popular Swift on Security Twitter feed chronicled the mess starting Tuesday when the account said an extension posing as AdBlock Plus and downloaded already close to 38,000 times, was still available on the Chrome Web Store.
Google allows 37,000 Chrome users to be tricked with a fake extension by fraudulent developer who clones popular name and spams keywords. pic.twitter.com/ZtY5WpSgLt
— SwiftOnSecurity (@SwiftOnSecurity) October 9, 2017
The plugin had been available since at least Sept. 22 and made good use of dozens of keywords to entice users to the landing page on the Chrome Web Store.
Google posted an update to the Chromium forum on Monday.
“After reviewing the issue in more detail, we found that a number of other similar instances of this campaign were detected and that our systems had successfully prevented them from reaching users,” Google said. “This app was able to slip through the cracks, but we’ve identified the reason and are addressing it.”
On Wednesday, Swift on Security put out the word about two more phony AdBlock Plus extensions in the store, one falsely claiming more than 10 million downloads. Swift on Security said the developer used Cyrillic Unicode characters in the extension name allowing the malicious plugins to again sidestep Google’s malware filters.
Update: TWO fake AdBlock Plus, including one with fake user numbers, have been added back to the Chrome extension store, in the same place. pic.twitter.com/duSBJSz6zn
— SwiftOnSecurity (@SwiftOnSecurity) October 11, 2017
“We need to stop Unicode until we can get a handle on the situation,” Swift on Security said. “No more Unicode.”
In April, Google updated to Chrome 58 which included a patch for the Punycode vulnerability that simplified phishing attacks using Unicode domains. Chinese researcher Xudong Zheng privately reported the issue to Google in January. His research focused on the use of Unicode characters to represent Cyrillic and Greek alphabets in order to mimic Latin characters and fool users into thinking they’ve landed on a legitimate domain.
In September, researcher Ankit Anubhav discovered that attackers were spreading the Beta Bot Trojan via an Adobe lookalike domain called adoḅe[.]com (note the “b”). The domain was redirecting to a phony Flash Player download that instead spread the malware.
“It’s a good attempt. Someone took their time to set up a good fake,” Anubhav said of the technique called an IDN or internationalized domain name homograph attack.
Google said Monday it had addressed the first notification within minutes, removing the malicious extension from the Chrome Web Store and from users’ machines. Within two hours on Tuesday, it had done the same for the second wave of phony extensions.
“We wanted to acknowledge that we know the issue spans beyond this single app,” Google said. “We can’t go into details publicly about solutions we are currently considering (so as to not expose information that could be used by attackers to evade our abuse fighting methodologies), but we wanted to let the community know that we are working on it, as we continually strive to improve our protection and keep users safe from malicious Chrome Extensions and Apps.”