A researcher with AdGuard discovered five fake ad-blocking extensions in the Chrome Web Store that used hidden scripts to manipulate users' browsers. The good news is, after AdGuard published the report, the Chrome team removed all five of the extensions from its store.
Unfortunately, AdGuard's Andrey Meshkov reports that the extensions he discovered had more than 20 million users. Posing as ad blockers, the malicious extensions simply copied code from real ad blockers and then added to them.
"All the extensions I've highlighted are simple rip-offs with a few lines of code and some analytics code added by the 'authors,'" Meshkov wrote. "Instead of using tricky names they now spam keywords in the extension description trying to make to the top search results."
If the fake ad blockers make it to the top of the search results in the Chrome Web Store, they can get tens of millions of downloads. One of the extensions uncovered by Meshkov had more than 10 million users, and even the smallest - an extension called Webutation - still had 30,000 users.
"Being in the top [of search] is enough to gain trust of casual users," Meshkov explained.
The additional code added to 'AdRemover for Google Chrome' and the other extensions harvested information about users' web browsing and manipulated browser behaviour, Meshkov said.
"Basically, this is a botnet composed of browsers infected with the fake adblock extensions. The browser will do whatever the command center server owner orders it to do," he wrote.
We've reached out to Google for comment and will update if we hear back.