FYI: There are thousands of Chrome extensions with so, so many fake installations to trick you into using them
Unethical developers drum up bogus user counts to gain trust
Efforts to manipulate installation counts in Chrome Web Store extension listings appear to be alive and well, despite a developer's personal crusade to call attention to the problem.
Julio Marin Torres has been highlighting suspiciously popular Chrome extensions since January in posts to the Chromium Extensions forum, trying to get Googler to enforce their store policies.
In an email to The Register, he said Google has taken some action since his initial posts on the subject, but the problem has only gotten worse since then. "Something has to change," he said. "I think this hurts the entire Chrome Store developer and user community."
There are still thousands of extensions in the Chrome Web Store that artificially inflate their user count statistics, to make store visitors more inclined to believe the extensions are widely used and trustworthy.
Better late than never... Google Chrome to kill off 'tiny' number of mobile web ads that gobble battery, CPU powerREAD MORE
But Torres suggests there's a risk this code could later be updated after the extension is widely installed to do something more nefarious. Torres has been gathering Chrome Web Store data and crunching the numbers to identify sudden surges in popularity.
A list he posted on May 17 includes more than 80 Chrome extensions that purport to have massive numbers of users and yet have few if any user reviews. For example, the Fortnite New Tab & Wallpapers Collection has over a million users and not a single person has bothered to post a review.
In another post over the weekend, he identified the top 10 extensions with the most fake installations in the past 24 hours. In a day, the Naruto Wallpaper HD Custom New Tab gained over 223,000 users, an increase of more than 800 per cent.
Other developers who have looked at the data say they've seen the same thing. The assumption is that unethical developers are spinning up virtual machines to download the extensions, to make them appear to be more popular in Chrome Web Store stats.
Torres said his efforts may be a lost cause because the abuse has been going on for so long, but his complaints haven't gone unnoticed. Several individuals – based in Russia to judge by the presence of Russian words in their forum replies yet sporting names that are common in the US – have tried to discourage him from speaking out by suggesting it's a waste of time to call attention to the problem.
"I see that most extensions or accounts with fraudulent installs come from developers from Russia," he wrote.
Torres said the buying and selling fake users involves bad developers, companies, crime groups, and bot farms, especially in China, India, and Russia. He provided The Register with a screenshot of a chat, see below, with an individual going by the name "Aleksey" offering fake installations for a monthly fee.
Other extension developers participating in the discussion have thanked Torres, noting that it's odd to criticize efforts to improve the Chrome Web Store unless you're part of the problem.
"From another perspective it adds insult to injury so to speak... seeing as how a lot of us 'legit' extension authors are struggling from week to week to get legitimate updates approved in this bizarrely broken review process while at the same time seeing so many fraudulent or simply 'spammy' extensions get through / staying published.... super demotivating…," an individual posting under the name SoerenM wrote on Wednesday.
"In the end I think that the Chrome Web Store does not take good care of its developers and forgets the most important thing: the users," said Torres.
Google did not immediately respond to a request for comment. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust