Google has removed a malicious extension from its Chrome Web Store that posed as the popular AdBlock Plus ad blocker but forcibly opened new tabs to show ads to users.
Discovered by a security researcher going by the pseudonym of SwiftOnSecurity, the extension [1, 2] had over 37,000 users at the time it was taken down late last night.
Not entirely Google's fault
As the researcher points out in a Twitter tirade aimed at Google's staff, the problem was that Google allowed another developer to upload an extension with the same name to another.
"Google allows 37,000 Chrome users to be tricked with a fake extension by [a] fraudulent developer who clones popular name and spams keywords," the expert said. "Legitimate developers just have to sit back and watch as Google smears them with fake extensions that steal their good name."
Users could have spotted the fake extension based on the blob of unrelated keyboards the fraudulent developer added to the extension's description. These hot keywords allowed the fake extension to pop up in unrelated search queries.
Also, if users checked the extension's Reviews tab they could have also averted a disaster, as most users decried the extension's abusive tab-opening behavior.
Happened before in 2015
This is not the first time that Google allowed a fake, malware-laden AdBlock Plus extension on its Chrome Web Store. Something similar happened two years ago, in 2015. That extension, too, was caught delivering adware.
Situations like these happen because the process of uploading extensions on the Chrome Web Store is automated and Google employees only intervene following situations like these. This automated process has allowed Google to build its Web Store, which has surpassed Mozilla's add-ons repository to become the biggest browser extensions portal among all browsers.
For this particular case, it appears that the extension's developer might have used a different ID from the one used by the original AdBlock Plus extension and might have taken advatange of a homograph attackusing Cyrilic characters in the extension's ID to bypass Google's Web Store checks.