We all know the game Angry Birds, and we all know Rovio—the maker of the breakout hit game Angry Birds. On Sept 27, Rovio launched a new puzzle video game called “Bad Piggies” which quickly became very popular: it hit the top spot in the App Store after only 3 hours. The game is easy to get; available on iTunes for $0.99 (iPhone version) and $2.99 (iPad version) and free on Google Play (for Android devices). What this means, however, is that without Apple or Android device there is no way to play it.
This market niche was not overlooked for long, and quickly free versions of games that claimed to be the original Bad Piggies appeared on the Google Chrome web store. Downloads from the Chrome web store can be played by anyone with the Chrome browser, installed on a Windows, Linux or Mac OS systems. Searching for “Bad Piggies” in the Chrome web store results in 8 matches as shown in Figure 1. All these plugins have “Bad Piggies” inside their game descriptions, such that each of them still matches the search, even though its title doesn’t.
“What Luck!”, you say to yourself. “I can play Angry Birds Bad Piggies and all the other Angry Birds games for free!”
But when our Barracuda Labs team took a closer look at these games we noticed several questionable items. Seven of these plugins are from the same source www.playook.info, a maker of ‘free' flash games. A quick glance at the Whois records for playook.info tells us… nothing. They hide their name behind Whoisguard, a very suspcious thing for a business to do. What's more, installing these 7 plugins request a significant permissions: “access your data on all websites”, shown in Figure 2 and Table 1.
Table 1: Statuses of 7 Chrome plugins for playing popular Rovio games
|Angry Birds Bad Piggies||https://chrome.google.com/webstore/detail/fpokembamndopkflopmplkklbdngnknd||Your data on all websites||2,725||6,595||8,258|
|Angry Birds Space HD||https://chrome.google.com/webstore/detail/goedioiidkokkbobdnopnlnaaalniegm||Your data on all websites||8,094||12,758||15,643|
|Angry Birds Huge||https://chrome.google.com/webstore/detail/omnicnmbagoinlpamknknbcgopadcoci||Your data on all websites||5,728||7,983||10,003|
|Angry Birds Forest||https://chrome.google.com/webstore/detail/ajlkjjdbgcjdiklbcomhnfghjigfccoh||Your data on all websites||3,882||5,590||6,300|
|Angry Birds Heikki||https://chrome.google.com/webstore/detail/indfhnliadamglhalanplbajgenpjdml||Your data on all websites||3,113||5,205||6,852|
|Angry Birds Rio||https://chrome.google.com/webstore/detail/dhclobcklknojliojkkclgjndemadnig||Your data on all websites||14,445||17,540||19,264|
|Angry Birds Space||https://chrome.google.com/webstore/detail/pfaooklcbjnkgconjjepimkohgcjmdji||Your data on all websites||9,634||13,965||16,273|
|Total users count:||47,621||69,636||82,593|
At this step, you should stop installing this plugin. Playing a web-based game should have nothing to do with your other browser tabs at all.
We were still curious, so we installed some of these plugins in a test environment. This is what we found.
First, this Angry Birds Bad Piggies game is not authentic: it is a pigs-shoot-birds game.
Second, and much worse, once the game installs a plug-in that displays additional advertisements in some popular websites.
Special code in the plug-in checks to see if the page originates with Yahoo and if so, inserts it's own ad from playook.info,
A little more digging turned up a list of websites that are targeted
We saw similar problems with angrybirds.com and MSN.com.
This is not the first time that some Chrome plugins requested extra permissions during the installation. Last month, we reported that several “Facebook Timeline Remover” plugins also requested permission to access data on all websites, where they should only touch Facebook.com websites. Users who give up such extensive permission run the risk of getting their browsers hijacked. The plugin authors can acquire all the web data when users browse the Internet with Chrome and then misuse users information, such as stealing and selling user email addresses and online credit card information.
As of Oct. 2, 2012, there are about 82,593 Chrome users who installed these ads-injected plugins, and the total number is still climbing fast day by day, e.g., about 13K new installations from October 1 to October 2.
A suggestion to Chrome users; whenever trying to install a plugin inside the Chrome web store, consider the requested permissions with a critical eye toward the intent of the plugin. If the plugin requests any permission that does not seem reasonable, do not install it. If you have already installed, uninstall them immediately and change your passwords on other websites if possible.
As Chrome gains more browser marketshare, Google should provide better secure solutions on Chrome web store to protect its users. Until then, it's especially important that Chrome users know how to protect themselves.