Google yanks Chrome extensions that secretly zapped users with adware and malware

Kamal Nayan, Tech Times 20 January 2014, 05:01 pm

Google has blocked two Chrome browser extensions that were updated to render ads on webpages in a way that violated the company's terms of services.

The Chrome extensions, viz. "Add to Feedly" and "Tweet This Page" which had fewer than 100,000 users, were silently updated to include codes that served undesirable ads without users' consent.

The developer of the Chrome extension "Add to Feedly", which had around 30,000 users, penned a blog post on Thursday describing how he was approached by an ad vendor with a "4 figures" offer to which he agreed. "No surprises, the ratings of the extension have recently plummeted at the Chrome store but the business model of the buyer is simple - they buy popular add-ons, inject affiliate links and the bulk of users would never notice this since the Chrome browser automatically updates add-ons in the background," Amit Agarwal wrote. "And there are no changelogs either."

Chrome browser allows silent and automatic updates to be pushed to its extensions from their developers. It depends solely upon the users to decide if the owner of an extension is trustworthy or not. Matter becomes worse, however, when ownership of a Chrome extension can be transferred to another party without letting its users know.

In December, Google updated its Chrome Web Store developer policies in which it advised developers to create extensions that have "a single purpose that is clear to users."

"Do not create an extension that requires users to accept bundles of unrelated functionality, such as an email notifier and a news headline aggregator. If two pieces of functionality are clearly separate, they should be put into two different extensions, and users should have the ability to install and uninstall them separately," Google wrote in the updated Chrome Web Store developer policies. "For example, functionality that displays product ratings and reviews, but also injects ads into web pages, should not be bundled into a single extension."

Developer of another Chrome extension called "Honey" posted on Reddit about a similar instance of being approached by malware companies to sell the extension which has nearly 300,000 users.

As a recommended step, users can install another Chrome extension called "Extensions Update Notifier" that keeps a log of the updated extensions, making it easier to spot a correlation between new updates and increased spam.