Malware masquerading as flashlight apps uncovered in Google Play Store Watch Now

Video: Malware masquerading as flashlight apps uncovered in Google Play Store.

A researcher has uncovered five malicious ad-blocker extensions on the Chrome Web Store that were installed by 20 million Chrome users before Google removed them.

The bogus ad blockers were discovered by researchers at AdGuard, a Moscow-based maker of ad-blocking and anti-tracking tech.

Following AdGuard's report on the fake ad blockers in the Chrome Web Store, Google removed the suspect extensions, which have been installed on 20 million Chrome instances over the past year.

The most popular fake ad blocker was AdRemover for Google Chrome, which had over 10 million users, putting a massive botnet of infected browsers at its authors' disposal.

"Basically, this is a botnet composed of browsers infected with the fake ad-block extensions. The browser will do whatever the command-center server owner orders it to do," wrote AdGuard co-founder Andrey Meshkov.

Cloning legitimate ad blockers, adding malicious features and distributing them in the Chrome store has become a popular tactic for cybercriminals. Last year, security personality SwiftOnSecurity discovered a fake Adblock Plus Chrome extension that tricked 37,000 users into installing it.

See: Cyberwar: A guide to the frightening future of online conflict

Meshkov says the main problem is that extensions are poorly vetted by the Chrome Web Store. The authors of fake extensions are also using keyword spam in the extension description to get a top ranking in the Chrome Web Store for searches for 'adblocker'.

"Instead of using tricky names, they now spam keywords in the extension description to try to make the top search results," wrote Meshkov.

There were two other fake ad blockers -- ripped off from legitimate ad-blocking code: a fake uBlock Plus with eight million users, and a fake Adblock Pro with two million users. Two more cloned extensions that used similar tactics were HD for YouTube with 400,000 users and Webutation, which has 30,000 users.

A Reddit user in October noticed the same clone of the uBlock Plus extension Meshkov found, meaning they've been available on the Chrome Web Store for at least six months. This fact, along with top ranking for queries for ad blocker, explains how the extensions attracted so many users.

Meshkov found the fake AdRemover for Google Chrome included hidden scripts that allow the authors to track websites visited and alter browser behavior.

"They definitely could alter anything on any website if they receive such command from the command server," Meshkov told ZDNet in an email.

"Also, all five were connecting to the very same command server, and they were using the very same approach -- the remote script was hidden inside an image."

The good news is that after Google removed the extensions from the Chrome Web Store the extensions have been disabled on Chrome instances with them installed.

"Google is able to disable and remove Chrome extensions remotely and it seems that this is exactly what's happening," wrote Meshkov.

Image: AdGuard/Google

Previous and related coverage

Google is switching on Chrome's ad blocker against disruptive ads

Google kicks off Chrome ad filtering on sites that persistently display annoying ads.

Android security: Sneaky three-stage malware found in Google Play store

Tens of thousands of users have downloaded two newly uncovered forms of malware.

BankBot Android malware sneaks into the Google Play Store - for the third time

More embarrassment for Google, as bank-data stealing malware infiltrates official Android app marketplace once again.