Millions of Chrome Users Have Installed Malware Posing as Ad Blockers

Andrey Meshkov, the cofounder of ad-blocker AdGuard, took a look at the script in some popular ad-blocking knockoffs and found some shady business.
Image: Pixabay

As if trying to navigate your online privacy wasn’t complicated enough, it turns out the adblocker you installed on your browser may actually be malware.

Andrey Meshkov, the cofounder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google’s popular browser Chrome. These extensions were deliberately styled to look like legitimate, well-known ad blockers, but Meshkov wondered why they existed at all, so he downloaded one and took a look at the code.


“Basically I downloaded it and checked what requests the extension was making,” Meshkov told me over the phone. “Some strange requests caught my attention.”

Meshkov discovered that the AdRemover extension for Chrome—which had over 10 million users—had code hidden inside an image that was loaded from the remote command server, giving the extension creator the ability to change its functions without updating. This alone is against Google’s policy, and after Meshkov wrote about a few examples on AdGuard’s blog, many of which had millions of downloads, Chrome removed the extensions from the store. I reached out to Google, and a spokesperson confirmed that these extensions had been removed.

Screengrab of AdRemover in the Chrome store. Image: Courtesy of Andrey Meshkov

Screengrab of the image that was hiding malicious script in AdRemover. Image: Courtesy of Andrey Meshkov

Though Meshkov didn’t immediately see what the extension was collecting data for, he said having this link to a remote server is dangerous because it could change your browser behavior in many ways. Meshkov said it could alter the appearance of pages, scrape information from the user, or load additional extensions that a user hasn’t installed.

I asked Yan Zhu, a software engineer who works for the privacy-conscious browser Brave, , to look at Meshkov’s findings. She told me that Chrome has a history of approving sketchy extensions to its store. She said while an extension with this kind of code couldn’t do “literally anything,” it could definitely run some malicious behavior.

“For instance the extension could probably man-in-the-middle all the requests coming from your browser, but it can't, for instance, read your browser's encrypted password database, because that is not a privilege that extensions can have,” Zhu explained over Twitter direct message.

Meshkov told me that while Google removed the extensions he flagged, the store is littered with these kinds of sketchy, copycat extensions. In the past, these extensions have transferred hands and ended up spreading malware to users.

So what should you do when all the sketchy extensions look just like the real deal? Meshkov recommended looking up the developer website for the extension you want, and they’ll have a link to the store where you can install it. And just be careful about what you install on your browser.

Motherboard’s documentary series “Dear Future” was nominated for a Webby. We’d love your vote , and it only takes a minute.