06-03-2023 , 04:09 AM
https://arstechnica.com/information-tech...re-a-mess/ Google’s Android and Chrome extensions are a very sad place. Here’s why
It was a bad week for millions of people who rely on Google for apps and Chrome extensions.
Dan Goodin - 6/2/2023, 6:07 PM
No wonder Google is having trouble keeping up with policing its app store. Since Monday, researchers have reported that hundreds of Android apps and Chrome extensions with millions of installs from the company’s official marketplaces have included functions for snooping on user files, manipulating the contents of clipboards, and injecting deliberately unknown code into webpages. Google has removed many but not all of the malicious entries, the researchers said, but only after they were reported, and by then, they were on millions of devices—and possibly hundreds of millions. The researchers aren’t pleased.
A very sad place
“I’m not a fan of Google’s approach,” extension developer and researcher Wladimir Palant wrote in an email. In the days before Chrome, when Firefox had a bigger piece of the browser share, real people reviewed extensions before making them available in the Mozilla marketplace. Google took a different approach by using an automated review process, which Firefox then copied.
“As automated reviews are frequently missing malicious extensions and Google is very slow to react to reports (in fact, they rarely react at all), this leaves users in a very sad place,” Palant said.
Researchers and security advocates have long directed the same criticism at Google’s process for reviewing Android apps before making them available in its Play marketplace. The past week provides a stark reason for the displeasure.
On Monday, security company Dr.Web reported finding 101 apps with a reported 421 million downloads from Play that contained code allowing a host of spyware activities, including:
Dr.Web said that the spyware functions were supplied by a software developer kit (SDK) used to create each app. The SDKs help streamline the development process by automating certain types of commonly performed tasks. Dr.Web identified the SDK enabling the snooping as SpinOK. Attempts to contact the SpinOK developer for comment were unsuccessful.
On Friday, security firm CloudSEK extended the list of apps using SpinOK to 193 and said that of those, 43 remained available in Play. In an email, a CloudSEK researcher wrote:
The Android.Spy.SpinOk spyware is a highly concerning threat to Android devices, as it possesses the capability to collect files from infected devices and transfer them to malicious attackers. This unauthorized file collection puts sensitive and personal information at risk of being exposed or misused. Moreover, the spyware’s ability to manipulate clipboard contents further compounds the threat, potentially allowing attackers to access sensitive data such as passwords, credit card numbers, or other confidential information. The implications of such actions can be severe, leading to identity theft, financial fraud, and various privacy breaches.
The week didn’t fare better for Chrome users who obtain extensions from Google’s Chrome Web Store. On Wednesday, Palant reported 18 extensions that contained deliberately obfuscated code that reached out to a server located at serasearchtop[.]com. Once there, the extensions injected mysterious JavaScript into every webpage a user viewed. In all, the 18 extensions had some 55 million downloads.
On Friday, security firm Avast confirmed Palant’s findings and identified 32 extensions with 75 million reported downloads, though Avast said the download counts may have been artificially inflated.
It’s unknown precisely what the injected JavaScript did because Palant or Avast couldn't view the code. While both suspect the purpose was to hijack search results and spam users with ads, they say the extensions went well beyond being just spyware and instead constituted malware.
“Being able to inject arbitrary JavaScript code into each and every webpage has enormous abuse potential,” he explained. “Redirecting search pages is only the one *confirmed* way in which this power has been abused.”
Am I infected?
With so many apps and extensions being reported by multiple researchers, some overlap exists. Still, there’s no dispute that in the past week, hundreds of malicious offerings downloaded millions of times from Google marketplaces have been identified.
Other than issuing canned statements saying Google takes user security seriously, company representatives pretty much maintain radio silence in response to questions about malicious wares available in its marketplace. The company is generally quick to remove malicious offerings once reported but still has trouble detecting them during its review process or checking for newly added malice once allowed in.
After this story was filed, a Google representative sent a statement:
"The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources."
In an email that was sent before press time but was inadvertently missed, the Google representative wrote:
"The Chrome Web Store has policies in place to keep users safe that all developers must adhere to. We take security and privacy claims against extensions seriously, and when we find extensions that violate our policies, we take appropriate action. These reported extensions have been removed from the Chrome Web Store."
Google generally doesn’t notify users once it discovers they have installed one of its malicious offerings. The rest of this article includes identifiers users can use to determine if they’ve been infected.
The full list of apps reported by Dr.Web is located here.
The apps reported by CloudSEK are:
Name
Weekly active users
Extension IDAutoskip for Youtube
9,008,298
lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
Soundboost
6,925,522
chmfnmjfghjpdamlofhlonnnnokkpbao
Crystal Ad block
6,869,278
lklmhefoneonjalpjcnhaidnodopinib
Brisk VPN
5,595,420
ciifcakemmcbbdpmljdohdmbodagmela
Clipboard Helper
3,499,233
meljmedplehjlnnaempfdoecookjenph
Maxi Refresher
3,483,639
lipmdblppejomolopniipdjlpfjcojob
Quick Translation
2,797,773
lmcboojgmmaafdmgacncdpjnpnnhpmei
Easyview Reader view
2,786,137
icnekagcncdgpdnpoecofjinkplbnocm
PDF toolbox
2,782,790
bahogceckgcanpcoabcdgmoidngedmfo
Epsilon Ad blocker
2,571,050
bkpdalonclochcahhipekbnedhklcdnp
Craft Cursors
2,437,224
magnkhldhhgdlhikeighmhlhonpmlolk
Alpha Blocker ad blocker
2,430,636
edadmcnnkkkgmofibeehgaffppadbnbi
Zoom Plus
2,370,645
ajneghihjbebmnljfhlpdmjjpifeaokc
Base Image Downloader
2,366,136
nadenkhojomjfdcppbhhncbfakfjiabp
Cliquish fun cursors
2,353,436
pbdpfhmbdldfoioggnphkiocpidecmbp
Cursor-A custom cursor
2,237,147
hdgdghnfcappcodemanhafioghjhlbpb
Amazing Dark Mode
2,228,049
fbjfihoienmhbjflbobnmimfijpngkpa
Maximum Color Changer for Youtube
2,226,293
kjeffohcijbnlkgoaibmdcfconakaajm
Awesome Auto Refresh
2,222,284
djmpbcihmblfdlkcfncodakgopmpgpgh
Venus Adblock
1,973,783
obeokabcpoilgegepbhlcleanmpgkhcp
Adblock Dragon
1,967,202
mcmdolplhpeopapnlpbjceoofpgmkahc
Readl Reader mode
1,852,707
dppnhoaonckcimpejpjodcdoenfjleme
Volume Frenzy
1,626,760
idgncaddojiejegdmkofblgplkgmeipk
Image download center
1,493,741
deebfeldnfhemlnidojiiidadkgnglpi
Font Customizer
1,471,726
gfbgiekofllpkpaoadjhbbfnljbcimoh
Easy Undo Closed Tabs
1,460,691
pbebadpeajadcmaoofljnnfgofehnpeo
Screens screen recorder
1,459,488
flmihfcdcgigpfcfjpdcniidbfnffdcf
OneCleaner
1,457,548
pinnfpbpjancnbidnnhpemakncopaega
Repeat button
1,456,013
iicpikopjmmincpjkckdngpkmlcchold
Leap Video Downloader
1,454,917
bjlcpoknpgaoaollojjdnbdojdclidkh
Tap Image Downloader
1,451,822
okclicinnbnfkgchommiamjnkjcibfid
Qspeed Video Speed Controller
732,250
pcjmcnhpobkjnhajhhleejfmpeoahclc
HyperVolume
592,479
hinhmojdkodmficpockledafoeodokmc
Light picture-in-picture
172,931
gcnceeflimggoamelclcbhcdggcmnglm
Names that don't have a stikethough denote extensions that had not been removed at the time Palint's post went live. As of Friday, Google said, all reported extensions had been removed.
Extension identifiers provided by Avast:
It was a bad week for millions of people who rely on Google for apps and Chrome extensions.
Dan Goodin - 6/2/2023, 6:07 PM
No wonder Google is having trouble keeping up with policing its app store. Since Monday, researchers have reported that hundreds of Android apps and Chrome extensions with millions of installs from the company’s official marketplaces have included functions for snooping on user files, manipulating the contents of clipboards, and injecting deliberately unknown code into webpages. Google has removed many but not all of the malicious entries, the researchers said, but only after they were reported, and by then, they were on millions of devices—and possibly hundreds of millions. The researchers aren’t pleased.
A very sad place
“I’m not a fan of Google’s approach,” extension developer and researcher Wladimir Palant wrote in an email. In the days before Chrome, when Firefox had a bigger piece of the browser share, real people reviewed extensions before making them available in the Mozilla marketplace. Google took a different approach by using an automated review process, which Firefox then copied.
“As automated reviews are frequently missing malicious extensions and Google is very slow to react to reports (in fact, they rarely react at all), this leaves users in a very sad place,” Palant said.
Researchers and security advocates have long directed the same criticism at Google’s process for reviewing Android apps before making them available in its Play marketplace. The past week provides a stark reason for the displeasure.
On Monday, security company Dr.Web reported finding 101 apps with a reported 421 million downloads from Play that contained code allowing a host of spyware activities, including:
- Obtaining a list of files in specified directories
- Verifying the presence of specific files or directories on the device
- Sending a file from the device to the developer
- Copying or substituting the content of clipboards.
Dr.Web said that the spyware functions were supplied by a software developer kit (SDK) used to create each app. The SDKs help streamline the development process by automating certain types of commonly performed tasks. Dr.Web identified the SDK enabling the snooping as SpinOK. Attempts to contact the SpinOK developer for comment were unsuccessful.
On Friday, security firm CloudSEK extended the list of apps using SpinOK to 193 and said that of those, 43 remained available in Play. In an email, a CloudSEK researcher wrote:
The Android.Spy.SpinOk spyware is a highly concerning threat to Android devices, as it possesses the capability to collect files from infected devices and transfer them to malicious attackers. This unauthorized file collection puts sensitive and personal information at risk of being exposed or misused. Moreover, the spyware’s ability to manipulate clipboard contents further compounds the threat, potentially allowing attackers to access sensitive data such as passwords, credit card numbers, or other confidential information. The implications of such actions can be severe, leading to identity theft, financial fraud, and various privacy breaches.
The week didn’t fare better for Chrome users who obtain extensions from Google’s Chrome Web Store. On Wednesday, Palant reported 18 extensions that contained deliberately obfuscated code that reached out to a server located at serasearchtop[.]com. Once there, the extensions injected mysterious JavaScript into every webpage a user viewed. In all, the 18 extensions had some 55 million downloads.
On Friday, security firm Avast confirmed Palant’s findings and identified 32 extensions with 75 million reported downloads, though Avast said the download counts may have been artificially inflated.
It’s unknown precisely what the injected JavaScript did because Palant or Avast couldn't view the code. While both suspect the purpose was to hijack search results and spam users with ads, they say the extensions went well beyond being just spyware and instead constituted malware.
“Being able to inject arbitrary JavaScript code into each and every webpage has enormous abuse potential,” he explained. “Redirecting search pages is only the one *confirmed* way in which this power has been abused.”
Am I infected?
With so many apps and extensions being reported by multiple researchers, some overlap exists. Still, there’s no dispute that in the past week, hundreds of malicious offerings downloaded millions of times from Google marketplaces have been identified.
Other than issuing canned statements saying Google takes user security seriously, company representatives pretty much maintain radio silence in response to questions about malicious wares available in its marketplace. The company is generally quick to remove malicious offerings once reported but still has trouble detecting them during its review process or checking for newly added malice once allowed in.
After this story was filed, a Google representative sent a statement:
"The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources."
In an email that was sent before press time but was inadvertently missed, the Google representative wrote:
"The Chrome Web Store has policies in place to keep users safe that all developers must adhere to. We take security and privacy claims against extensions seriously, and when we find extensions that violate our policies, we take appropriate action. These reported extensions have been removed from the Chrome Web Store."
Google generally doesn’t notify users once it discovers they have installed one of its malicious offerings. The rest of this article includes identifiers users can use to determine if they’ve been infected.
The full list of apps reported by Dr.Web is located here.
The apps reported by CloudSEK are:
- com.hexagon.blocks.colorful.resixlink
- com.macaronmatch.fun.gp
- com.macaron.boommatch.gp
- com.blast.game.candy.candyblast
- com.tilermaster.gp
- com.crazymagicball.gp
- com.cq.merger.ww.bitmerger
- com.happy2048.mergeblock
- com.carnival.slot.treasure.slotparty
- com.holiday2048.gp
- com.richfive.money.sea
- com.hotbuku.hotbuku
- com.crazyfruitcrush.gp
- com.twpgame.funblockpuzzle
- com.sncgame.pixelbattle
- com.cute.macaron.gp
- com.slots.lucky.win
- com.happy.aquarium.game
- com.blackjack.cash.poker
- vip.minigame.idledino
- com.circus.coinpusher.free
- com.diamond.block.gp
- com.boommatch.hex.gp
- com.guaniu.deserttree
- com.snailbig.gstarw
- com.tunai.instan.game
- com.yqwl.sea.purecash
- com.block.bang.blockbigbang
- com.chainblock.merge2048.gp
- com.snailbig.gstarfeelw
- com.ccxgame.farmblast
- com.bubble.connect.bitconnect
- com.acemegame.luckyslot
- com.tianheruichuang.channel3
- com.kitty.blast.lucky.pet.game
- com.magicballs.games
- com.bird.merge.bdrop
- com.acemegame.luckycashman
- free.vpn.nicevpn
- com.vegas.cash.casino
- com.meta.chip.metachip
- com.guaniu.lightningslots
- vip.minigame.RollingBubblePuzzle
Name
Weekly active users
Extension IDAutoskip for Youtube
9,008,298
lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
Soundboost
6,925,522
chmfnmjfghjpdamlofhlonnnnokkpbao
Crystal Ad block
6,869,278
lklmhefoneonjalpjcnhaidnodopinib
Brisk VPN
5,595,420
ciifcakemmcbbdpmljdohdmbodagmela
Clipboard Helper
3,499,233
meljmedplehjlnnaempfdoecookjenph
Maxi Refresher
3,483,639
lipmdblppejomolopniipdjlpfjcojob
Quick Translation
2,797,773
lmcboojgmmaafdmgacncdpjnpnnhpmei
Easyview Reader view
2,786,137
icnekagcncdgpdnpoecofjinkplbnocm
PDF toolbox
2,782,790
bahogceckgcanpcoabcdgmoidngedmfo
Epsilon Ad blocker
2,571,050
bkpdalonclochcahhipekbnedhklcdnp
Craft Cursors
2,437,224
magnkhldhhgdlhikeighmhlhonpmlolk
Alpha Blocker ad blocker
2,430,636
edadmcnnkkkgmofibeehgaffppadbnbi
Zoom Plus
2,370,645
ajneghihjbebmnljfhlpdmjjpifeaokc
Base Image Downloader
2,366,136
nadenkhojomjfdcppbhhncbfakfjiabp
Cliquish fun cursors
2,353,436
pbdpfhmbdldfoioggnphkiocpidecmbp
Cursor-A custom cursor
2,237,147
hdgdghnfcappcodemanhafioghjhlbpb
Amazing Dark Mode
2,228,049
fbjfihoienmhbjflbobnmimfijpngkpa
Maximum Color Changer for Youtube
2,226,293
kjeffohcijbnlkgoaibmdcfconakaajm
Awesome Auto Refresh
2,222,284
djmpbcihmblfdlkcfncodakgopmpgpgh
Venus Adblock
1,973,783
obeokabcpoilgegepbhlcleanmpgkhcp
Adblock Dragon
1,967,202
mcmdolplhpeopapnlpbjceoofpgmkahc
Readl Reader mode
1,852,707
dppnhoaonckcimpejpjodcdoenfjleme
Volume Frenzy
1,626,760
idgncaddojiejegdmkofblgplkgmeipk
Image download center
1,493,741
deebfeldnfhemlnidojiiidadkgnglpi
Font Customizer
1,471,726
gfbgiekofllpkpaoadjhbbfnljbcimoh
Easy Undo Closed Tabs
1,460,691
pbebadpeajadcmaoofljnnfgofehnpeo
Screens screen recorder
1,459,488
flmihfcdcgigpfcfjpdcniidbfnffdcf
OneCleaner
1,457,548
pinnfpbpjancnbidnnhpemakncopaega
Repeat button
1,456,013
iicpikopjmmincpjkckdngpkmlcchold
Leap Video Downloader
1,454,917
bjlcpoknpgaoaollojjdnbdojdclidkh
Tap Image Downloader
1,451,822
okclicinnbnfkgchommiamjnkjcibfid
Qspeed Video Speed Controller
732,250
pcjmcnhpobkjnhajhhleejfmpeoahclc
HyperVolume
592,479
hinhmojdkodmficpockledafoeodokmc
Light picture-in-picture
172,931
gcnceeflimggoamelclcbhcdggcmnglm
Names that don't have a stikethough denote extensions that had not been removed at the time Palint's post went live. As of Friday, Google said, all reported extensions had been removed.
Extension identifiers provided by Avast:
- aeclplbmglgjpfaikihdlkjhgegehbbf
- afffieldplmegknlfkicedfpbbdbpaef
- ajneghihjbebmnljfhlpdmjjpifeaokc
- ameggholdkgkdepolbiaekmhjiaiiccg
- bafbedjnnjkjjjelgblfbddajjgcpndi
- bahogceckgcanpcoabcdgmoidngedmfo
- bikjmmacnlceobeapchfnlcekincgkng
- bkbdedlenkomhjbfljaopfbmimhdgenl
- bkflddlohelgdmjoehphbkfallnbompm
- bkpdalonclochcahhipekbnedhklcdnp
- bppfigeglphkpioihhhpbpgcnnhpogki
- cajcbolfepkcgbgafllkjfnokncgibpd
- ciifcakemmcbbdpmljdohdmbodagmela
- deebfeldnfhemlnidojiiidadkgnglpi
- diapmighkmmnpmdkfnmlbpkjkealjojg
- dlnanhjfdjgnnmbajgikidobcbfpnblp
- dppnhoaonckcimpejpjodcdoenfjleme
- edadmcnnkkkgmofibeehgaffppadbnbi
- edaflgnfadlopeefcbdlcnjnfkefkhio
- edailiddamlkedgjaoialogpllocmgjg
- edmmaocllgjakiiilohibgicdjndkljp
- eibcbmdmfcgklpkghpkojpaedhloemhi
- enofnamganfiiidbpcmcihkihfmfpobo
- epmmfnfpkjjhgikijelhmomnbeneepbe
- fcndjoibnbpijadgnjjkfmmjbgjmbadk
- fejgiddmdpgdmhhdjbophmflidmdpgdi
- ffiddnnfloiehekhgfjpphceidalmmgd
- fgpeefdjgfeoioneknokbpficnpkddbl
- fhnlapempodiikihjeggpacnefpdemam
- finepngcchiffimedhcfmmlkgjmeokpp
- flmihfcdcgigpfcfjpdcniidbfnffdcf
- fpfmkkljdiofokoikgglafnfmmffmmhc
- gdlbpbalajnhpfklckhciopjlbbiepkn
- geokkpbkfpghbjdgbganjkgfhaafmhbo
- gfbgiekofllpkpaoadjhbbfnljbcimoh
- ghabgolckcdgbbffijkkpamcphkfihgm
- glfondjanahgpmkgjggafhdnbbcidhgf
- gliolnahchemnmdjengkkdhcpdfehkhi
- gnmjmennllheofmojjffnidneaohleln
- hdgdghnfcappcodemanhafioghjhlbpb
- hdifogmldkmbjgbgffmkphfhpdfhjgmh
- hhhbnnlkhiajhlfmedeifcniniopfaoo
- higffkkddppmfcpkcolamkhcknhfhdlo
- hmakjfeknhkfmlckieeepnnldblejdbd
- icnekagcncdgpdnpoecofjinkplbnocm
- iejlgecgghdfhnappmejmhkgkkakbefg
- igefbihdjhmkhnofbmnagllkafpaancf
- igfpifinmdgadnepcpbdddpndnlkdela
- iicpikopjmmincpjkckdngpkmlcchold
- imfnolmlkamfkegkhlpofldehcfghkhk
- jbolpidmijgjfkcpndcngibedciomlhd
- jjooglnnhopdfiiccjbkjdcpplgdkbmo
- jlhmhmjkoklbnjjocicepjjjpnnbhodj
- kafnldcilonjofafnggijbhknjhpffcd
- keecjmliebjajodgnbcegpmnalopnfcb
- kjeffohcijbnlkgoaibmdcfconakaajm
- lcdaafomaehnnhjgbgbdpgpagfcfgddg
- lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
- lhpbjmgkppampoeecnlfibfgodkfmapd
- likbpmomddfoeelgcmmgilhmefinonpo
- lipmdblppejomolopniipdjlpfjcojob
- lklmhefoneonjalpjcnhaidnodopinib
- llcogfahhcbonemgkdjcjclaahplbldg
- lmcboojgmmaafdmgacncdpjnpnnhpmei
- lpejglcfpkpbjhmnnmpmmlpblkcmdgmi
- magnkhldhhgdlhikeighmhlhonpmlolk
- mcmdolplhpeopapnlpbjceoofpgmkahc
- meljmedplehjlnnaempfdoecookjenph
- nadenkhojomjfdcppbhhncbfakfjiabp
- nbocmbonjfbpnolapbknojklafhkmplk
- ngbglchnipjlikkfpfgickhnlpchdlco
- njglkaigokomacaljolalkopeonkpbik
- obeokabcpoilgegepbhlcleanmpgkhcp
- obfdmhekhgnjollgnhjhedapplpmbpka
- oejfpkocfgochpkljdlmcnibecancpnl
- okclicinnbnfkgchommiamjnkjcibfid
- olkcbimhgpenhcboejacjpmohcincfdb
- ooaehdahoiljphlijlaplnbeaeeimhbb
- pbdpfhmbdldfoioggnphkiocpidecmbp
- pbebadpeajadcmaoofljnnfgofehnpeo
- pidecdgcabcolloikegacdjejomeodji
- pinnfpbpjancnbidnnhpemakncopaega