On Wednesday, Google nuked two ad-blocking Chrome extensions that appear to have been designed to conduct affiliate-marketing fraud.
Andrey Meshkov, co-founder and CTO of AdGuard, said the two extensions used names that are confusingly similar to two better established ad blockers, Adblock Plus and uBlock Origin, and that this alone should deter people from using them.
Google responded to an email from The Register to confirm that it had removed the dodgy add-ons from its online Chrome extension store, though the web giant's spokesperson ignored questions about why it removed them and why it allows extensions with confusingly similar names to coexist in its browser software bazaar.
Deceptive names have been a problem in Google's Chrome Web Store for years, as they have been in other app stores, to say nothing of look-alike domain names. AdGuard last year pointed out that five fake ad blockers had over 20m active users. They were removed, eventually.
Reports of uBlock Origin imitators surfaced in 2016 though the problem is older still. Even today, after the removal of the uBlock offered by "Charlie Lee," extensions with confusingly similar names can still be found. A search for "uBlock" returns three results, only one of which is developer Raymond Hill's well-regarded uBlock Origin content-filtering extension.
Among the other two results – another "uBlock" and "uBlock Plus Adblocker," Hill last year said via Twitter that the latter is malicious. And yet it's still available.
But the problem goes beyond deceptive naming. As Meshkov points out, the most troubling issue with AdBlock and uBlock is that they incorporate code for cookie stuffing, a form of ad-fraud that involves quietly adding cookies to a user's browsing session to collect unearned affiliate fees from e-commerce sites.
The extensions also appear to have been designed to evade an initial security screening: According to Meshkov, they function normally for 55 hours before they start misbehaving. And, he said, they contain anti-forensic code that disables cookie stuffing as soon as the browser's developer console gets opened.
Meshkov estimates that these two Chrome extensions had more than 1.6 million weekly active users and generated millions of dollars a month through the cookie-stuffing scheme.
Google is in the midst of a revision of its extension platform called Manifest v3 that aims to make Chrome extensions faster, more secure and more capable of privacy protection, at the possible cost of making content blockers less effective. But Meshkov is skeptical the API rewrite will solve the security and privacy problems embodied in the two removed extensions. He argues that Google should heed advice offered by the Electronic Frontier Foundation to properly enforce its Chrome Web Store policies.
Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, echoed that sentiment in an email to The Register.
"Until Google App Store or any app store for that matter hashes the code of the app upon approval and then periodically/randomly checks if the code has been altered or additional code has been side-loaded, bad guys will just continue to get clean app code approved, and then later alter or side-load malicious code for various purposes like ad fraud, credential stealing, or worse," he said. ®