Google pulls malware Twitter and Feedly extensions for Chrome

LONDON — Google has removed two Chrome browser extensions from its store after they were found to be installing malicious software on users’ computers and serving intrusive ads.

The two extensions began as legitimate tools to connect to Twitter and for the RSS service Feedly, but were then bought and subverted by companies selling invasive, poor-quality advertising. They used the extensions as a platform to hijack Google searches, redirect links to adverts and serve intrusive adverts to unsuspecting users.

Extensions are normally used to add specific functions to a browser, much like apps on a mobile phone.

Google’s Chrome Web store policies specifically prevent developers from inserting advertising on more than one part of a page, with strict guidelines to which they must adhere.

Invasive advertising tools, or adware, have taken advantage of the automatic update feature of Google’s Chrome browser that allows the browser and extensions to be silently updated in the background without user interaction.

The developer of one extension, Add to Feedly, which had about 32,000 users, revealed how he had sold his extension to an unknown buyer for an undisclosed small sum. “It was a four-figure offer for something that had taken an hour to create and I agreed to the deal,” wrote Mr Amit Agarwal, developer of the extension.

The unknown new owner then added code into the browser extension, which was silently installed on users’ computers through the update mechanism, to serve invasive advertising as people browsed the Internet.

A similar situation occurred with another small extension called Tweet This Page, which was silently altered to serve ads, redirect links and hijack Google searches.

Developers of larger Chrome extensions have been approached in a similar manner by third parties.

“Over the past year, we’ve been approached by malware companies that have tried to buy the extension, data collection companies that have tried to buy user data and adware companies that have tried to partner with us. We turned them all down,” said the developer of the popular Honey Chrome extension that has about 300,000 users.

Once installed, the malware cannot be detected through traditional means, including through the use of anti-malware or antivirus software. The malware can be removed by uninstalling the Chrome extension.

Discovering that a Chrome extension is causing the issue is difficult even for experienced users, due to the silent update mechanism being used to deliver the hijacked extensions.

Similar issues have been seen affecting Firefox add-ons as well as other browsers.

The Guardian understands that Google is aware of the issue and is in the process of addressing the problem, according to a blogpost last month detailing its Chrome store policy changes. THE GUARDIAN