Malware makers buy Chrome extensions to distribute malicious updates

Ad and malware creators buy up smaller Chrome extensions to inject malware and ads into the extensions and distribute them as updates. Since Chrome updates extensions automatically, many users don’t realize where the ads are coming from.

Chrome extension makers can sell ownership of their extension, but users of that extension won’t see it, and even if an update is released that changes the extension’s functionality, it will happen quietly, OMGCHrome writes. Since many users have multiple extensions installed and, moreover, users do not immediately think of extension updates, adware and malware creators can go about their business undisturbed. It is unknown how many extensions are involved so far.

OMGCHrome refers to an example of the Add To Feedly extension, which adds a button to Chrome to add a website’s feed to the widely used RSS reader Feedly. The extension’s creator was offered a “four-zero amount” for its 30,000-user extension. He got paid, after which the new owner released an update after some time that adds advertisements.

The ads are usually impossible to disable and are added to pages that users visit. For example, the Smooth Gestures extension, an extension that enables swipes in Chrome and has half a million users, shows ads on some pages over thumbnails of the page itself. Those ads cannot be turned off and according to one of the users, he even shows his advertisements during internet banking.

Other extensions exhibit similar behavior, though it’s unclear how many developers themselves have decided to add ads and how many were bought up first: the Chrome Web Store doesn’t show if an extension has changed hands. The step can often be seen because the reviews are first praise, after which users suddenly give critical reviews and report annoying advertisements.