By Jason Ding – Research Scientist
After our recent report on fake “Angry Piggies” games in Google Chrome web store that hijacked display advertisements, the word has been spread among users to exercise caution when shopping the Google Chrome web store.
Google has also taken action. On last Friday they removed the 7 bad plugins that we mentioned in our blog, all developed by playook.info, from the web store. Chrome users can no longer see and install these plugins.
However, the bad guys haven’t given up. A few hours later on Friday afternoon, another 6 “Angry Birds” plugins published by playook.info are live again in Chrome store. Users can easily search “Bad Piggies” to find them, listed in the table below.
|
Title |
URL |
Permissions |
Released on & Version |
Oct. 8 #Users |
Oct. 9 #Users |
Oct. 10 #Users |
| Angry Birds Bad Piggies | https://chrome.google.com/webstore/detail/angry-birds-bad-piggies/gnofjgfhibegiiaiobadjhhadiajhido | Your data on all websites |
Oct 5, 2012 Ver. 1 |
252 |
444 |
639 |
| Angry Birds Huge | https://chrome.google.com/webstore/detail/angry-birds-huge/jfhmafmjfdblceidmfdmoihamolaaeco | Your data on all websites |
Oct 5, 2012 Ver. 1 |
65 |
111 |
147 |
| Angry Birds Forest | https://chrome.google.com/webstore/detail/angry-birds-forest/bdgijcibmhjjccgbdohofncdjcophknj | Your data on all websites |
Oct 5, 2012 Ver. 1 |
55 |
94 |
136 |
| Angry Birds Heikki | https://chrome.google.com/webstore/detail/angry-birds-heikki/hfcgbiofoebieldldghfocjfnnajmpej | Your data on all websites |
Oct 5, 2012 Ver. 1.1 |
41 |
71 |
103 |
| Angry Birds Rio | https://chrome.google.com/webstore/detail/angry-birds-rio/fomljmklmcefndkgpakgifbiiidgbjej | Your data on all websites |
Oct 5, 2012 Ver. 1 |
34 |
60 |
80 |
| Angry Birds Space | https://chrome.google.com/webstore/detail/angry-birds-space/jeehjhnmgohgpfpjneglogiholalkeip | Your data on all websites |
Oct 5, 2012 Ver. 1 |
82 |
127 |
201 |
| Total users count: |
529 |
907 |
1306 |
Here is a screenshot of one of the new “Angry Birds Bad Piggies” apps. Note that the Chrome web store has used a new URL format for plugins that shows the name of the plugin in the URL.
We installed these six plugins again in our test environment and checked their functionality. Unsurprisingly, all of them behaved the same as previous bad plugins: users were redirected to playook.info to play fake flash games and ads from playook.info were injected when users subsequently browsed many popular websites such as msn.com, yahoo.com, myspace.com, and imdb.com. In fact, these plugins have very similar JavaScript code as the ones we wrote about before.
As of today, there are 907 installations in total for these malicious plugins.
If Google was so quick to remove the original offending plugins in the morning, how is it that essentially the same ones reappeared the same afternoon? Begging the question: Is there any applicable security vetting for Chrome web store?