This is one “before and after” picture that we didn’t want to see. Someone contacted the original developers of Chrome extensions Add to Feedly and Tweet This Page with an offer to purchase. Thinking it was a good opportunity for a company with more time and money to further develop what they started, both developers sold perfectly nice apps. It wasn’t until the next automatic update that the true transformation was revealed.
Even though users didn’t know about the sale of the extensions, angry reviews indicated that a change had been made. The app was accused of spamming because it had silently updated the extensions to inject ads and affiliate links. Amit Agarwal, Add to Feedly‘s original author told PC World, “These aren’t regular banner ads that you see on webpages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links. In simple English, if the extension is activated in Chrome, it will inject adware into all webpages.”
Over the weekend, the two extensions were removed from the Chrome Web Store.
How to remove bad extensions and toolbars from your computer
“Both of these add-ons are categorized as “very bad” in the avast! Browser Cleanup database,” said Thomas Salomon, head of AVAST Software’s Browser Cleanup development. “Browser Cleanup will remove them without any trace. This means they’ll be removed the same way as any other bad add-on/toolbar.”
avast! Browser Cleanup lists all poorly rated add-ons, extensions, and toolbars for the 3 major internet browsers, Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome, and allows you to disable or remove them. It works by scanning the browser environment, then displays a list of any bad toolbars you may have, and asks if you want the offending toolbar removed. If you authorize it to do so, then Browser Cleanup will remove them.
There are more than 7,500,000 different browser extensions for the three main browsers. AVAST currently receives 1 million requests every day to remove browser toolbars. Read more about annoying toolbars from this blog post by Thomas Salomon.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
1/21 updated number of browser extensions. It keeps growing!
By definition, Adware is a program bundle which renders advertisements in order to generate revenue for its author. In a more strict sense, e.g. for security solutions, it means an application/installer whose nature lies somewhere between a potentially unwanted application and proper malware, like Trojans or Spyware. It might use more or less aggressive methods, starting with tricks and ending with fraud, to achieve its goals to benefit its distributor, while staying as innocent as possible on first sight. We blogged about an adware downloader a year ago.
Now we focus on two selected adware examples: The first is a Windows installer called Linkular and the second is a well-known application called Genieo (with a focus on its OS X version.) Being in the wild for a few months, the detection within AV products reached only partial coverage in both cases, with very similar numbers on VirusTotal (~10-20 %, see Sources below). However, the OS X adware Genieo is additionally flagged by OS X-specific security solutions. Considering maliciousness, the Windows adware is far more dangerous and invasive than the OS X one and also more than other Windows Adware examples we usually see. Here’s the comparison:
|Distribution strategy||Advertisement Network||unknown|
|Software Download site||coolestmovie.info||www.genieo.com|
|Rank on alexa.com||~4200||~3000|
|Masking||VLC Player + Addon||Flash Player (*)|
|Payload||SpeedUpMyPC; Multiplug; Bitcoinminer;OneStep/BasicServe||Codemc; Photo.it; Qtrax(**)|
|Change of browser start page||YES||YES|
|Persistance||YES (of payload)||YES|
|Obfuscation||YES (of payload)||NO|
|Digitally signed||YES (both installer & payload)||YES|
(*) masking is not connected with the official site, but some of its distribution partners
(**) related to older installers; not presented anymore
Several months ago I wrote a blog post about an adware downloader which after execution downloaded a few adware programs and installed them on the computer, giving no chance for the user to skip or bypass their installation. This time, we will analyze an application, which installs similar types of adware programs on user computers.
We received a file which appeared to be a crack of Pinnacle Studio HD Ultimate. After displaying the initial splash screen, it offers the user to install Pinnacle Pixie Activation 500. After confirmation, the crack is installed, but in addition to the crack, other programs and toolbars unexpectedly appeared on the compromised computer. Pinnacle was not the only target of this kind of attack. Cracks for programs like Sims, Nero, Rosetta Stone, and Pro Evolution Soccer 2013 were also used in distribution.
Bad Piggies, the spin-off game to Rovio’s wildly popular Angry Birds, hit the online stores last week, and following in its sizable wake were fake versions designed to install an aggressive adware program into Chrome browsers. Reportedly, over 83,000 Google Chrome users have been infected.
Cybercrooks found a niche because Bad Piggies is only available for Android devices on Google Play (free) or Apple devices ($0.99 for iPhone and $2.99 for iPad) on iTunes. Free versions of Bad Piggies that claimed to be from the creators of Angry Birds appeared on the Chrome web store shortly after the release. The top 3 listed are called Bad Piggies, but they are from different companies; padeba, gametc.com, and the HD version from HitsGames. They have over 13,000 downloads.
Reviews of the games reveal the anger and disappointment of Rovio fans. Read more…