How to Tell the Right Chrome Extensions From Malware

We all fall prey to the dangerous belief that if an app or extension is listed in an official repository – be it the App Store, Google Play, Microsoft Store, Mozilla’s add-on directory, and so on – it must be legal. After all, big tech companies are likely using a variety of automated systems (and real people) to ensure that their customers don’t download malicious files. Right?

Unfortunately, as a recent AdGuard report reminded us, you can’t trust big technology to keep your devices secure. Malware goes through holes, and you need a little control over your actions to make sure that what you are about to download to your device or computer is legal. While you won’t be able to catch sophisticated malware disguised as real applications, filtering out the more obvious crap isn’t hard.

Make sure you are downloading the correct extension

I’m going to focus on Chrome extensions for this how-to guide, but the same advice is generally true for whatever apps you download: from the web, from the app store, from anywhere. You should always be sure to download the correct extension or application, especially if you vaguely remember the name of something you read somewhere that works great for your PC, or any extension that a friend mentioned in a conversation that you now kind of think you’ve found it. Nope. Don’t download the extension unless you know exactly what you are getting.

If you need any further proof, here is a short list of five major malicious AdGuard extensions named in their research. All of them have since been retrieved by Google and all had between 30,000 and over 10 million users. I also added the names of the legitimate extensions. Can you tell which is which?

  • Adblock
  • AdRemover for Google Chrome
  • uBlock Plus
  • uBlock Origin
  • AdBlocker Ultimate
  • Adblock pro
  • HD for YouTube
  • Auto HD for YouTube
  • Webutation

Difficult, right? And while a quick Internet search can usually help you determine if an extension is legitimate or not – since reliable extensions are more likely to have strong recommendations from a number of legitimate tech and news sites – it’s not an ideal method.

You could still be fooled if someone on the forum recommends a rogue extension like uBlock Plus and you take it for granted. When in doubt, consider the authenticity of what you are looking for. For example, if Gizmodo offers to download uBlock Origin, but then Reddit user “poopchute88” says uBlock Plus is the best browser extension ever – well, we hope you trust our friends around the corner.

View extension description

Even the best extension writers may not be word masters, so you should give this advice a little thought. If you are reading the description of an extension and feel that it does not suit you – maybe there are some strange phrases, horrible spelling mistakes, or it all just seems a little wrong – you can do additional research on the legitimacy of the extension.

Also, just because an extension uses open source terminology does not mean that it is legal. Let’s take a look at the language used to describe AdRemover for Google Chrome, one of the malware extensions mentioned in the AdGuard report:

“Disclaimer: This extension is not affiliated with or in any way affiliated with any other software or ad blocker. The GPLv3 code from Adblock is used and listed in the source code. Improved ad blocking, tracking protection, and bitcoin mining protection. “

Sounds a little more like a real expansion, doesn’t it? Oh no. But the fake extension is no doubt trying to create the impression that it is a natural evolution of a number of legitimate sounding extensions:

Open Source: Code used in this ad block extension: Chrome Adblock Base Template, Adblock Pro Banner Implementation, Chrome Source Adblock Custom Statistics before Adblock Plus Code, Google Analytics Superblock – Adblock, Filter List Extension for uBlock Adblocker , pop-up code from Adguard Adblock, stats from Fair Adblock, Adblock Super options page, pop-up blocker inspired by the pop-up blocker for Chrome ™ – Poper Blocker. “

In fact, the creator of the extension is probably just trying to use keywords as much as possible to increase the likelihood of this malware appearing when users search for legitimate extensions it links to. Compare this description with part of the description of, for example, the beloved (and legitimate) Adblock Plus :

“Adblock Plus is an easy-to-use, customizable ad blocking extension that puts you in control of your Google Chrome experience. Block annoying and intrusive ads to make your Internet experience more convenient and understandable. Blocking ads also reduces the risk of infection from malicious ad campaigns. Users can also add personal filters and whitelist websites.

Adblock Plus is an open source project used by millions of people around the world. Hundreds of volunteers contribute daily to ensure that all intrusive ads are blocked. “

Could a malware creator write such a simple description? Certainly. Again, we are not trying to point to one specific example that separates a legitimate extension from malware. That said, you’ll probably start to notice that the malware description doesn’t quite pass the odor test – and even if it does, there is still a bit more to investigate.

Check for fake reviews

Some malware authors are disingenuous and try to legitimize their extensions, assuming they are verified by authentic news sources. While anyone can lie, it is easy to catch those who make absolutely no effort to create a fake trail for their malware. Again, let’s look at the example from the fictitious AdRemover extension for Google Chrome. In its description, you would find the following:

“Along with other adblock software” – MediumTech Default filter lists work great with this ad unit” – FrugalLiving “Some missing features but easy-to-use ad unit” – FrugalLiving “Slower than uBlock but more intuitive interface” – Zing “

It’s almost too easy. First, there is no tech review site called MediumTech, no FrugalLiving, no Zing. But even if any of these sites exist, you can also just copy and paste the quotes right into your favorite search engine. In this case, they are not matched against any of the listed tech review sites – and, in fact, it just appears that the malware extension appears in search results. Hmmmm .

The same is true for the AdRemover “tests” for Google Chrome listed in its description:

Tested by Raymonds Tech Ressources [yes, the malware developer even spelled the name of this fake website incorrectly]

– Performance test – Tracker protection 5% faster average load time against Adguard

– Performance test – Average load time of Adblock is 90% faster compared to no Adblock software, average download time is 2% higher compared to Superblock – Adblocker is 5% faster average download time is compared to Adguard – Adblocker is 62% less peak CPU usage compared to Adblock Pro 12% less peak CPU usage compared to Superblock – Adblocker and Adguard – Adblocker

As fast as Adblock Pro, just block ads! and Adblock Super, but with additional blocked trackers.

Again, there is no site called “Raymonds Tech Ressources” or even called “Raymonds Tech Resources”. Even if that were the case, a quick Internet search could easily confirm two things: whether this site is legitimate and whether the site has actually published the tests that the extension refers to in its description.

While we assume that a super-smart malware creator might create multiple sites with fake reviews to make the extension look legitimate, most don’t like the effort. Heck, most don’t even create websites for their own extensions, as Make Tech Easier points out:

“Most malware remover extension creators are too lazy to create completely new websites. Instead, they usurp the identities of other developers (eg AdRemover vs. Ad Remover and uBlock Adblocker vs. uBlock Plus Adblocker). Others won’t even create websites for their extensions (Superblock is a great example).

Don’t believe, don’t check; just search for a legitimate website and activate the extension from there. Or if you’re even a little lazy like me, search for what’s popular, find a legitimate source for it, and then turn it on. “

Count the commentators

Just because someone has good experience with an extension doesn’t mean it’s legal. However, if an extension seems fairly new and doesn’t have many reviews, but each review gives it a five-star rating with a bit of text that seems a little unnatural, you should consider the extension suspiciously. Here are some examples you might see on the AdRemover for Google Chrome page:

Giovanna S. – ★★★★★ “Good ad blocker! Highly recommended for Chrome users! “

Rwanda S. – ★★★★★ “My favorite ad blocker.”

Lewis A. – ★★★★★ “I hated this ad on Facebook so much, so I installed an ad blocker. Thank you”

Cecilia – ★★★★★ “Great ad blocker !! Blocked all unwanted and annoying pop-ups! Never without Adblock. “

Patricia D. – ★★★★★ “Don’t get bored with unwanted ads anymore. Great app. The best ad unit “.

Alden D. – ★★★★★ “I love AdRemover Adblocker. It’s great! The same is the best. No more ads. The user is a different ad blocker, but that’s good. “

Perhaps the users of the new extension consider it the best since Netscape. But these reviews seem a little odd to us: misspellings like “I hated this Facebook ad”; strange comments like “I love AdRemover Adblocker”, which is not even the name of the extension; and the harshness of most five-star reviews that don’t really mention any features or use cases, just their love of expansion. If your spider-sense isn’t tingling already, it should be.

More…

Leave a Reply