You may have heard by now that spammers and malware developers have been buying legitimate apps in order to compromise them with infected updates. The idea is that there is a huge pool of potential victims out there who trust the apps that they are already running. Infect the apps that are already installed and given permissions, and you get your adware, spyware, malware, and otherwares in front of a whole new audience.
Most of the compromised apps being discussed lately are Chrome and Firefox extensions. Many browser extensions are known to send data back to their developers or to a third party, and this is usually accepted as long as it is disclosed. It's also accepted for an extension to insert its own ad into a website, as long as there is some kind of disclosure on where that ad came from. What is generally not acceptable is that an extension collect all browsing data and sends it to a third party, or that an extension insert ads from a third party based on your browsing data. But that's what these extensions are doing.
Even more creepy is that some of these extensions have the spamming code inserted into them already, but the code is not enabled.
We tested one of these extensions, called Autocopy Original, by tricking it into thinking that the tracking behavior was supposed to be enabled, and we were able to immediately see a ton of data sent back to their servers. There were 73 of these extensions in the Chrome Store, and some in the Firefox add-ons store. They are easily identifiable because they are all from “wips.com” or “wips.com partners”.
Since the user agreement only discloses what the extension is doing, the functions of this dormant code are not disclosed. The code could be enabled with any update.
* shudder *
Spammers don't have to purchase legitimate apps in order to use them for malicious purposes. Remember when our Research Scientist Dr. Jason Ding covered the web versions of “Bad Piggies,” the malicious adware-infected Rovio copycat?
Searching for “Bad Piggies” in the Chrome web store results in 8 matches as shown in Figure 1. All these plugins have “Bad Piggies” inside their game descriptions, such that each of them still matches the search, even though its title doesn’t.
But when our Barracuda Labs team took a closer look at these games we noticed several questionable items. Seven of these plugins are from the same sourcewww.playook.info, a maker of ‘free’ flash games. A quick glance at the Whois records for playook.info tells us… nothing. They hide their name behind Whoisguard, a very suspcious thing for a business to do. What’s more, these 7 plugins request significant permissions: “access your data on all websites”, …
It isn't just the Chrome web store that has trouble with spammers. Earlier this week our SignNow team published an article on their experience with a copycat:
About two weeks ago, we woke up to find that a new app on the App Store had launched – with the name: SignNow by GameStruct, Inc. … We dug in more, and uncovered a web of behavior designed to confuse consumers into purchasing their apps, rather than compete in the marketplace.
And it gets worse:
Originally, this same codebase was released as an app under the name “SignPDF” Dec 9, 2013, by the developer Tektrify, Inc. This app was a rip-off of an app really named SignPDF. January 7, 2014, the same app was released as SignNow (with some minor iOS7 tweaks).
In other words, one bad app, rebranded over & over, to trick people into trusting it. Sounds a lot like an email spammer, doesn't it?
The best way to protect yourself from spammers like this is to pay attention to what you are installing. Here are a few suggestions:
- Don't give an extension or an app more permission than it needs, and do not install anything that asks for more permission than it needs.
- Disable anonymous usage statistics
- Check your extensions against lists like this
- Tools like Extension Defender and Shield for Chrome may help
- Watch for behaviors that make an app appear unauthentic
The best defense is to remain aware of what you are doing on your computer. Pay attention to what you are installing, and definitely read the fine print.
Barracuda provides award-winning security and storage solutions. Check out our full line of products here.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn.