back to article Another round of click-fraud extensions pulled from Chrome Store

A security researcher has claimed that a cumulative half a million Chrome users have been hit by four malicious browser extensions pushing click and SEO fraud. Icebrg's Justin Warner and Mario De Tore spotted the extensions while investigating a spike in outbound traffic from a workstation in a customer's network. The company …

  1. Dwarf

    Store benefits

    Wasn’t one of the supposed benefits of these vendor provided stores that they only contained legitimate apps ?

    1. I ain't Spartacus Gold badge

      Re: Store benefits

      Well to be fair, other vendor's stores seem to be relatively safe. It's Google's that keeps coming up repeatedly, and Google that do the least checking of what they allow in.

      So while the idea of a vendor store isn't perfect - I'm not sure if the problem isn't actually Google.

      1. RyokuMas

        Re: Store benefits

        "It's Google's that keeps coming up repeatedly"

        They're also a victim of their own success - regardless of how they managed it, Chrome is currently the most popular browser, and thus the biggest target. The same for Android on mobile, and Windows on desktop - if Google manage to raise Chrome OS's market share above a rounding error to something with a bit more presence, I'd wager that will be targeted too.

        But right now, the spotlight is very much on Google as more and more people are starting to realise just how far they have descended from their "Don't be evil" ivory tower into the pit of money-grubbing corporate greed, and just how much control they potentially have over the information we can access.

        1. I ain't Spartacus Gold badge

          Re: Store benefits

          To be fair to Google I think they have a problem with corporate culture, rather than that they're just evil and greedy.

          Although I also think they're greedy. Oh and arrogant.

          I wouldn't use the word evil though. They brought that on themselves by saying don't be evil - but I'd use another of their quotes, "we want to go up close to the creepy line but not cross it." So creepy and greedy seem fine. And smug. Did I mention arrogant?

          But I think that Google genuinely buy some of their own bullshit about how you can solve all problems with computers and completely free information. They also use it as an excuse to steal peoples' personal data or abuse peoples' copyright on Youtube for gain. So like most of us a mix of some clever long-term planning, some idealism, some greed and a large dollop of self-justification.

          That culture causes some of these mis-steps (like trying to do all the app store testing automatically and not with humans). I'm sure the greed bit applies here a bit too. But then the huge dose of arrogance kicks in, in not fixing the problem when it should be obvious that you can't just solve these problems by chucking more processors at them.

          It's why I think Google will generally fail in the consumer electronics market. They don't do messy stuff like customer services or admitting that could possibly have got anything wrong. And they assume that everyone lives in a world of having data connection (and infinite allowance) whereever they go. And they just seem to prefer computers to people. As I said creepy. And arrogant.

          1. Chemical Bob

            Re: Store benefits

            Exactly - their corporate culture is evil and greedy...

  2. Anonymous Coward
    Anonymous Coward

    to inject unsafe JavaScript

    There's another type of JavaScript?

    1. Anonymous Coward
      Anonymous Coward

      So which language is it that only creates safe code?

      Sick of JavaScript getting blamed for shit coding.

  3. Anonymous Coward
    Anonymous Coward

    'after which obfuscated JavaScript was fetched from'

    Imagine if the perps spent the time on legit projects...

    Imagine what could be achieved as the saying goes...

  4. jaywin

    Users stung?

    If all these were doing was generating clicks on ads, is it really the users that have been stung, or is it rather the advertisers / Google?

    1. Steve the Cynic

      Re: Users stung?

      A bit of both, probably. Over time, the extra traffic generated by the clicks will add up for the end-user. If you're on a spectacularly miserly metered tariff, you could end up with your Internet access severely throttled and/or charging you money for overages. (Especially if you're handwaving tethered access over mobile, for example, where limits tend to be much lower.)

      Depends on how enthusiastic the click-fraud thing is, I guess.

    2. I ain't Spartacus Gold badge

      Re: Users stung?

      Well in a lot of cases Google actually profit from click fraud. As do big sites like Facebook and the other ad networks. Which is probably why so little effort is made to avoid it.

      1. horse of a different color

        Re: Users stung?

        Yes, the elephant-in-the-room is companies like Google profiting from click fraud. It's not exactly giving them an incentive to fight it. I suspect that if Google were legally obliged repay fraudulent views/clicks, then click fraud would rapidly disappear.

  5. Anonymous Coward
    Anonymous Coward

    Why doesn't network traffic get checked as part of application validation

    This stuff sticks out a mile when looked for. There's no excuse, other than not giving a fuck, for Apps to be approved without being checked for common malicious behaviour.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why doesn't network traffic get checked as part of application validation

      Because it has some kind of delay, so it waits a month. Or it waits until 10MB of data has been downloaded. Or it downloads non-malicious updates first. Or it's looking for Google monitoring software. Or... you get the picture...

  6. Mahhn


    I wonder if google sent anyone notice of what they downloaded?

    I'll bet a snickers bar the answer is: no.

    1. elregelreg

      Re: Notice

      > I wonder if google sent anyone notice of what they downloaded?

      Good point, they should be emailing out RECALL notices.

  7. Roland6 Silver badge

    Bug bounty?

    So are Google going to offer Justin Warner and Mario De Tore a reward for their efforts?

    Whilst Google doesn't develop the app's in the store, they do make claims about the store and the quality of app's it makes available. Thus any app that is up to no good has the potential to knock Google's reputation. So it is in Google's interest to offer rewards and bounty's to researchers who uncover malicious apps that have sneaked under Google's radar.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like