After takeover, Nano Adblocker on Chrome contains malware that distributes Instagram likes

The ad block extensions Nano Adblocker and Nano Defender contain malware. The original developer recently sold the extensions and since a few days the new owners have been using them to take over active Instagram sessions and share likes with them.

The malware seems to be only in the two Chrome extensions for now. The Firefox version is still clean. Nano Adblocker and Defender were downloaded more than 300,000 times in Chrome. Recently, the developer announced that he would no longer work on the code due to time constraints. He sold the project to new developers. He did not disclose who they were. Meanwhile, other developers have discovered that the extensions contain malware. One of them is Raymond Hill, who also designed uBlock Origin, on which Nano Adblocker is based.

From now on, the extensions first check whether a console is open in the browser, Hill discovered. So if someone tries to parse the extension’s code, it changes its behavior so that it is difficult to figure out exactly what is happening. Users of the extension note that their Instagram accounts are handing out hundreds of likes to random photos from random accounts.

It is not entirely clear how the malware works. Some users say that they had no active Instagram sessions open in their browser and that the malware manages to steal authentication cookies. There are also suspicions that the malware is trying to steal GitHub and Outlook sessions, but that does not seem successful as yet. Hill recommends that users close all of their active Instagram sessions, including those on other devices. The Nano software has since been removed from the Chrome Store.