Skip to content
Naked Security Naked Security

Google pulls more fake adblockers from Chrome Web Store

Google has again been reprimanded for not spotting fake extensions impersonating popular brands in its Chrome Web Store.

Google has again been reprimanded for not spotting fake extensions impersonating popular brands in its Chrome Web Store.

The victims this time were AdBlock by AdBlock Inc (easily confused with legitimate extension AdBlock by getadblock) and uBlock by Charlie Lee (similar-sounding to uBlock.org’s uBlock or Raymond Hill’s uBlock Origin).

The impersonation was made public in a blog by rival adblocker maker, AdGuard, whose Andrey Meshkov decided to take a closer look at the fake software’s behaviour.

The short and surprising answer – they block ads – perhaps not a huge ask given that both appear to have been based on the same code as the original AdBlock.

However, according to Meshkov, 55 hours after installation, they start doing something called ‘cookie stuffing’, a common ad fraud technique.

Cookie stuffing

Normally, an eCommerce website will check cookies to work out how that user arrived at their site, paying a fee to the affiliate responsible when a purchase is made.

It’s a hidden cornerstone of the internet economy which criminals subvert by ‘dropping’ floods of cookies on to a computer to make it appear the user clicked on an affiliate ad when they didn’t.

Because only a small number of users will make a purchase from a site, the fraudsters need to sneak their cookie stuffing programs on to as many computers as possible. Writes Meshkov:

These two add-ons have more than 1.6 Million ‘weekly active users’, who were stuffed with cookies of over 300 websites from Alexa Top 10,000. It is difficult to estimate the damage, but I’d say that we are talking about millions of USD monthly.

Unchecked, it’s easy to see how this sort of scam could cost large brands a lot of money which explains why a handful of people accused of this scam in the US have ended up in jail.

Extension confusion

If cookie stuffing has been going on forever, why does it keep happening?

Remember, this affects everyone – the users who end up with possibly dangerous software on their computers, the brands paying for bogus clicks, and the legitimate extension makers who have their brands hijacked.

It’s a problem that nobody seems to have the answer to, least of all Google, which is often caught flat-footed by fakes sitting in plain sight. Meshkov says Google ignored his reports until the story went public and the rogue extensions were finally taken down.

That brings to mind the weeks it took Google to take down a rogue version of AdBlock Plus in 2017, to pick just one example – this is certainly not a one-off.

Obviously, the buck should stop with Google on its own site but identifying legitimate software is often very difficult. For example, adblockers  all tend to look the same, right down to their names, the colours and appearance of their branding.

Even the gold standard of judging an extension or app from the number of users wouldn’t have worked once the fakes themselves have been downloaded hundreds of thousands of times.

No matter how hard Google says it’s working to stop them, the most effective extension detectives are still researchers, security companies and the users themselves, acknowledged by Google when it recently expanded its Developer Data Protection Reward Program (DDPRP) and Google Play Security Reward Program (GPSRP).

As far as we can tell, these don’t reward the simple issue of calling out fakes when it’s not clear what they might be doing at a deeper level.

That’s a shame because finding malicious or fake programs is also about finding them quickly. Google should be edging towards a system that incentivises users to report suspect extensions, even if it means getting set up to handle a flood of false positives.

3 Comments

“why does it keep happening” It’s simple, Google rely on way to much automation. It’s not just extension either, the play store is still riddled with the garbage. We call it in the US, Cybersquatting for domains, but it should be extended to apps and extensions.

Reply

The problem is that we’re stuck in a feedback loop started by ad makers. Ads became more and more intrusive which led to ad blockers, ad blockers led to less profits for ad makers so ad makers made their ads harder to block, ad blockers became more complex to combat the hard to block ads and blocked even more ads in the process which led to ad blockers making even harder to block ads……………

All this has everyday people stuck in the middle and to do anything on the internet now you have to have an ad blocker. This environment is ripe for abuse by bad actors taking advantage of low information users.

Google, on its part, relies heavily on ad revenue which means it has little incentive to do anything about fake ad blockers. Google even struck a deal with Adblock Plus to allow its ads through which is just one of many reasons why it’s uBlock Origin FTW.

Reply

Maybe goog should stop having an app store since they can’t manage it properly.
It’s like a grocery store and half the products have broken glass in them.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!