Google scrambled this week to remove a malicious Chrome extension from its store and users’ machines after a popular Twitter account disclosed the issue publicly. The incident ramped up again one day later when the developers were able to get two other shady plugins past Google’s defenses before those were removed.
The popular Swift on Security Twitter feed chronicled the mess starting Tuesday when the account said an extension posing as AdBlock Plus and downloaded already close to 38,000 times, was still available on the Chrome Web Store.
> Google allows 37,000 Chrome users to be tricked with a fake extension by fraudulent developer who clones popular name and spams keywords. [pic.twitter.com/ZtY5WpSgLt](<https://t.co/ZtY5WpSgLt>)
>
> — SwiftOnSecurity (@SwiftOnSecurity) [October 9, 2017](<https://twitter.com/SwiftOnSecurity/status/917446126382526464?ref_src=twsrc%5Etfw>)
The plugin had been available since at least Sept. 22 and made good use of dozens of keywords to entice users to the landing page on the Chrome Web Store.
Google posted an update to the Chromium forum on Monday.
“After reviewing the issue in more detail, we found that a number of other similar instances of this campaign were detected and that our systems had successfully prevented them from reaching users,” Google said. “This app was able to slip through the cracks, but we’ve identified the reason and are addressing it.”
On Wednesday, Swift on Security put out the word about two more phony AdBlock Plus extensions in the store, one falsely claiming more than 10 million downloads. Swift on Security said the developer used Cyrillic Unicode characters in the extension name allowing the malicious plugins to again sidestep Google’s malware filters.
> Update: TWO fake AdBlock Plus, including one with fake user numbers, have been added back to the Chrome extension store, in the same place. [pic.twitter.com/duSBJSz6zn](<https://t.co/duSBJSz6zn>)
>
> — SwiftOnSecurity (@SwiftOnSecurity) [October 11, 2017](<https://twitter.com/SwiftOnSecurity/status/918157364079022086?ref_src=twsrc%5Etfw>)
“We need to stop Unicode until we can get a handle on the situation,” Swift on Security said. “No more Unicode.”
In April, Google updated to Chrome 58 which included a patch for the [Punycode vulnerability](<https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/>) that simplified phishing attacks using Unicode domains. Chinese researcher Xudong Zheng privately reported the issue to Google in January. His research focused on the use of Unicode characters to represent Cyrillic and Greek alphabets in order to mimic Latin characters and fool users into thinking they’ve landed on a legitimate domain.
In September, researcher Ankit Anubhav discovered that attackers were [spreading the Beta Bot Trojan](<https://threatpost.com/idn-homograph-attack-spreading-betabot-backdoor/127839/>) via an Adobe lookalike domain called adoḅe[.]com (note the “b”). The domain was redirecting to a phony Flash Player download that instead spread the malware.
“It’s a good attempt. Someone took their time to set up a good fake,” Anubhav said of the technique called an IDN or internationalized domain name homograph attack.
Google said Monday it had addressed the first notification within minutes, removing the malicious extension from the Chrome Web Store and from users’ machines. Within two hours on Tuesday, it had done the same for the second wave of phony extensions.
“We wanted to acknowledge that we know the issue spans beyond this single app,” Google said. “We can’t go into details publicly about solutions we are currently considering (so as to not expose information that could be used by attackers to evade our abuse fighting methodologies), but we wanted to let the community know that we are working on it, as we continually strive to improve our protection and keep users safe from malicious Chrome Extensions and Apps.”
{"id": "THREATPOST:75EB40066FCFF8ED7E494B32078DE0EE", "type": "threatpost", "bulletinFamily": "info", "title": "Google Busy Removing More Malicious Chrome Extensions from Web Store", "description": "Google scrambled this week to remove a malicious Chrome extension from its store and users\u2019 machines after a popular Twitter account disclosed the issue publicly. The incident ramped up again one day later when the developers were able to get two other shady plugins past Google\u2019s defenses before those were removed.\n\nThe popular Swift on Security Twitter feed chronicled the mess starting Tuesday when the account said an extension posing as AdBlock Plus and downloaded already close to 38,000 times, was still available on the Chrome Web Store.\n\n> Google allows 37,000 Chrome users to be tricked with a fake extension by fraudulent developer who clones popular name and spams keywords. [pic.twitter.com/ZtY5WpSgLt](<https://t.co/ZtY5WpSgLt>)\n> \n> \u2014 SwiftOnSecurity (@SwiftOnSecurity) [October 9, 2017](<https://twitter.com/SwiftOnSecurity/status/917446126382526464?ref_src=twsrc%5Etfw>)\n\nThe plugin had been available since at least Sept. 22 and made good use of dozens of keywords to entice users to the landing page on the Chrome Web Store.\n\nGoogle posted an update to the Chromium forum on Monday.\n\n\u201cAfter reviewing the issue in more detail, we found that a number of other similar instances of this campaign were detected and that our systems had successfully prevented them from reaching users,\u201d Google said. \u201cThis app was able to slip through the cracks, but we\u2019ve identified the reason and are addressing it.\u201d\n\nOn Wednesday, Swift on Security put out the word about two more phony AdBlock Plus extensions in the store, one falsely claiming more than 10 million downloads. Swift on Security said the developer used Cyrillic Unicode characters in the extension name allowing the malicious plugins to again sidestep Google\u2019s malware filters.\n\n> Update: TWO fake AdBlock Plus, including one with fake user numbers, have been added back to the Chrome extension store, in the same place. [pic.twitter.com/duSBJSz6zn](<https://t.co/duSBJSz6zn>)\n> \n> \u2014 SwiftOnSecurity (@SwiftOnSecurity) [October 11, 2017](<https://twitter.com/SwiftOnSecurity/status/918157364079022086?ref_src=twsrc%5Etfw>)\n\n\u201cWe need to stop Unicode until we can get a handle on the situation,\u201d Swift on Security said. \u201cNo more Unicode.\u201d\n\nIn April, Google updated to Chrome 58 which included a patch for the [Punycode vulnerability](<https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/>) that simplified phishing attacks using Unicode domains. Chinese researcher Xudong Zheng privately reported the issue to Google in January. His research focused on the use of Unicode characters to represent Cyrillic and Greek alphabets in order to mimic Latin characters and fool users into thinking they\u2019ve landed on a legitimate domain.\n\nIn September, researcher Ankit Anubhav discovered that attackers were [spreading the Beta Bot Trojan](<https://threatpost.com/idn-homograph-attack-spreading-betabot-backdoor/127839/>) via an Adobe lookalike domain called ado\u1e05e[.]com (note the \u201cb\u201d). The domain was redirecting to a phony Flash Player download that instead spread the malware.\n\n\u201cIt\u2019s a good attempt. Someone took their time to set up a good fake,\u201d Anubhav said of the technique called an IDN or internationalized domain name homograph attack.\n\nGoogle said Monday it had addressed the first notification within minutes, removing the malicious extension from the Chrome Web Store and from users\u2019 machines. Within two hours on Tuesday, it had done the same for the second wave of phony extensions.\n\n\u201cWe wanted to acknowledge that we know the issue spans beyond this single app,\u201d Google said. \u201cWe can\u2019t go into details publicly about solutions we are currently considering (so as to not expose information that could be used by attackers to evade our abuse fighting methodologies), but we wanted to let the community know that we are working on it, as we continually strive to improve our protection and keep users safe from malicious Chrome Extensions and Apps.\u201d\n", "published": "2017-10-13T11:59:38", "modified": "2017-10-13T11:59:38", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/google-busy-removing-more-malicious-chrome-extensions-from-web-store/128435/", "reporter": "Michael Mimoso", "references": ["https://t.co/ZtY5WpSgLt", "https://twitter.com/SwiftOnSecurity/status/917446126382526464?ref_src=twsrc%5Etfw", "https://t.co/duSBJSz6zn", "https://twitter.com/SwiftOnSecurity/status/918157364079022086?ref_src=twsrc%5Etfw", "https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/", "https://threatpost.com/idn-homograph-attack-spreading-betabot-backdoor/127839/"], "cvelist": [], "lastseen": "2019-01-23T05:28:23", "viewCount": 4, "enchantments": {"score": {"value": -0.8, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:63BDD7B821044E766378A7482E732133", "THREATPOST:F0D744BF591FB16C549DCBEA1305B197"]}]}, "exploitation": null, "vulnersScore": -0.8}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659730939}}