Just weeks after Yahoo was caught up in a malware scandal surrounding its ads, Google has stepped in to withdraw two Chrome browser extensions that were found to be infecting users’ computers with malware. The two extensions were originally designed to do legitimate jobs – connecting users to Twitter and Feedly – but had been bought up and altered.
Add To Feedly and Tweet This Page were on sale in the Chrome store until the weekend, but fewer than 150,000 people are thought to have used them. As the situation became known, however, the developers of several more successful extensions revealed that they had been offered money by companies that seemed to have similar intentions. The reason why extensions are so appealing to unscrupulous types is that, while Google reviews them before it first accepts them, it does not review changes made later on; what is more, default Chrome settings let them update and appear on users’ computers automatically, with no further purchases necessary. This means that updating an existing extension can give its owners a back door directly into users’ computers.
Unlike the Yahoo scandal, in which the malware involved zombified computers and used them to mine bitcoins, the primary purpose of this malware seems to have been to facilitate advertising. Users reported that it replaced links on sites they visited with affiliate links. This included searches made from Google’s own front page. Aside from Google’s concern over user complaints, this explicitly contravenes its Chrome store policy restricting where advertising can appear.
Amit Agarwal, who developed the original Add To Feedly, has apologized to those affected by the malware and said that he now realizes that it was probably a bad idea to sell it. Having been offered a four-figure sum for what had been an hour’s work, it seems it had not occurred to him to hesitate.
Last month Google announced plans to tighten up control in its Chrome store in a move that it must now be glad it made. By limiting extensions to single functions, it hopes to be able to detect any malware automatically. Google has long been proactive in dealing with the sort of problems that got Yahoo into trouble, removing around one million malicious ads from its pages every day in 2013; as complaints about these are rare, its approach appears to have been working. Users will now be anxious to see if Google can tackle the extension problem as effectively.
