Suspicious browser extensions are relying on manipulating search results on the Google Chrome Web Store to rank higher than their legitimate counterparts.
This is according to the developers of two popular ad-blocking extensions available on the site.
Screenshots posted on Twitter this week show that a search result for ‘uBlock Origin’ – a web extension which has more than 10,000 users on Chrome alone – appears below multiple add-ons, some of which, it has been claimed, appear malicious.
A test on the Chrome Web Store performed by The Daily Swig confirmed that in a search query for ‘uBlock Origin’, the plugin appears third – below rival applications ‘NBlocker’ and ‘Adtrooper adblocker’.
Weighing in on the tweet, Raymond Hill, the developer of uBlock Origin, said: “I’m aware of this [issue].
“Even when narrowing to ‘Extensions’ [filter], uBO is listed fourth, after those sleazy extensions (which incidentally are all based on Adblock Plus’ code – with copyright and license notices removed).”
Hill added: “No ‘ublock’ used anywhere in the description of these extensions, it’s a mystery as to why they are reported as top matches while uBO is not.”
Hill also noted that this issue is not present in the web stores for Firefox or Safari.
“Seven years of never breaching user trust counts for nothing in the Chrome Web Store, sleazy extensions which are unrelated to the searched terms are listed first,” he said.
Gaming the ecosystem?
In a separate test, the developer of AdGuard, Andrey Meshkov, found that while his ad-blocker still came out on top in a search query for ‘Adguard’, a potentially suspicious extension followed closely behind.
After taking a further look at the plugin, ‘Adresist adblocker’, could contain malicious code, Meshkov warned.
“It loads Google Tag Manager (which allows remote execution of arbitrary scripts) and immediately uses it to load additional scripts: analytics and a script that handles uninstall. Of course, all this does not prove that this extension is malicious,” the developer wrote.
However, said Meshkov, the extension also contains little information about the developer, and its privacy policy is hosted on Google Docs rather than a website, leading Meshkov to question its legitimacy.
Data privacy risks
Speaking to The Daily Swig, Meshkov said there are numerous reasons why a malicious actor might want to develop a fraudulent web extension.
Perhaps unsurprisingly, one prime motivating factor is the desire to secretly siphon sensitive user data, including their browsing history, as well as to embroil users in ad-fraud schemes.
“Extensions are really easy to create, they just copy an existing popular open source extension, change the code a little, add their malicious stuff on top of it, and here we go, the malware is ready,” Meshkov added.
“What’s even more important, the Chrome Web Store is an awesome distribution channel for them. Being in the search top results allows them to get a lot of people to install their software for free.”
Meshkov said he has previously contacted Google regarding a similar instance to the Web Store issue, but said that Google does not disclose how its search algorithms work.
“They are hiding it to make it harder to manipulate search results,” he said. “Unfortunately, security through obscurity does not seem to be working in this case.”
The Daily Swig has reached out to Google for further comment, but we are yet to hear back.
