Malicious gaming extensions: a child’s play to infection
Credit to Author: Pieter Arntz| Date: Tue, 03 Apr 2018 15:30:00 +0000
Did you ever lend your laptop to a child to play a video game, only to get it back filled with advertisements? Our CEO knows a little bit about that predicament, having unknowingly infected his parents’ computer when he was a kid. But times have changed since then.
Let us play for you a modern-day scenario, then, to show how it’s a short trip from “I want to play this game” to “Hey, there’s adware on my laptop!”
How to get infected playing a video game
These days the coolest kids at school aren’t playing football—they’re playing video games. Of course, your kid wants to be the best in a popular game like Slither.io. So he grabs the family laptop and does a search for “always win slither.”
Look at the top search result: a YouTube video by a well-known YouTuber named Jelly, who has 7,866,496 subscribers tuning into his gaming channel. If you were a gaming portal, would you think it’s worth the investment to pay AdChoices to get a relevant advertisement on that page?
Well-placed advertising always pays off.
With its prominence and high potential for pay-off, the answer is decidedly “yes,” especially if your intentions are less than ethical. Normally, the game is free to play, but who is going to stop you from creating a landing page that says you have to install this browser extension before you can play?
Advertising networks certainly won’t. In order to advertise online, businesses must merely sign up with a network and then bid in real time to have their ads appear on popular websites. However, not all advertising networks have strict criteria for advertisers—ad sellers don’t always know the buyers. Not only that, but buying advertising space is increasingly being transacted automatically, which leaves the door open for further mischief.
Install the extension, even though the game is completely free, why don’t you?
So, back to our kid. Remember, he just learned how to beat all his friends, so he’s eager to get going. He downloads the extension at the upper right-hand side of the screen because it’s the closest thing resembling a “play” button. What harm is a little extension going to do?
All it can do is “Read and change all your data on the websites you visit,” after all.
Wait, what?
Yes, it knows which websites you visit, gathering all the data about your surfing behavior. And yes, it can use that information to insert relevant advertisements on those sites. And unfortunately, that’s exactly what these extensions do. So we have a question for your kid, who’s about to install this extension on your laptop:
Do you treat advertisements on the site of your favorite gaming portal with the same level of trust as the ones on a random Facebook page? Or do you trust one site’s ads over the other?
If the answer isn’t clear here, then we might need to supply further instruction on the psychology behind successful marketing: The power to insert advertisements on sites that your target audience trusts is a desirable one—one that cybercriminals would gladly pay for.
And pay they did, aiming their advertising campaigns at games that attract a relatively young audience, including Slither.io, HappyWheels, Paper.io, Subway Surfers, MineCraft, and BlockWorld, among others.
What does the malicious browser extension actually do?
Now that the line of infection is clear, let’s talk numbers.
Because their advertising landing pages are so prominent and well-placed, gaming extensions bring in a lot of traffic to Chrome’s Webstore. The GamerSuperstar extension, for example, has been installed almost 100,000 times.
If you download the extension directly from Webstore, you probably have a better idea of what its capabilities and permissions are by scrolling through the product descriptions and reading user reviews. This is not true, however, if you just click prompts from an advertising landing page. And that’s how these criminals pull the wool over users’ eyes, getting thousands to download without realizing what they are getting into.
And what they’re getting into is a whole lotta adware.
The extension does absolutely nothing to change the gameplay—it’s completely unnecessary. All you gain by installing most of these extensions is targeted advertising on the sites you visit. A select few also alter your search and newtab settings.
ArcadeTab comes with a search newtab
Other malicious gaming extensions
I wish we could say that GamerSuperStar was the only example of a malicious gaming extension that we have come across. Over the last few months, however, we’ve tracked quite a few of them.
- Search Web by arcadetab.com: 1 million+ installs (and this one also qualifies as a search and newtab hijacker)
- ArcadeFrontier Ads by arcadefrontier.com: 150,000+ installs
- GamesChill Ads by gameschill.com: 100,000+ installs
- PlayZiz Advertisements by playziz.com: 40,000+ installs
- Gamerscan Ad by gamerscan.com: 25,000+ installs
- ArcadeGala Advertising Offers by arcadegala.com: 5,000+ installs
- VideoGameHub Advertising by videogaminghub.com: 1,500+ installs
One note about the above: Data for Chrome extensions are a lot easier to track down because of their Webstore listing. We know there are Firefox and Safari extensions as well, but we can only guess at the numbers for Firefox and Safari extensions that were installed.
So these other extensions—no way they could be more aggressive on permissions than GamerSuperStar, right? Wrong. It was among the least demanding extension of its kind.
This was the most demanding extension permissions list we saw.
Remediating the infection
Although thousands of people were fooled into downloading these data-gathering extensions, it’s easy enough to get rid of them. If you look at the uninstall page for GamerSuperStar on Chrome, you can see there are removal instructions for Firefox and Safari extensions as well.
In addition, Malwarebytes can block many of these kinds of extensions from being downloaded in the first place, since they fetch their advertisements from the cmptch.com servers, which have been at the top of our block list consistently for the last few weeks.
The paid version of Malwarebytes blocks the domain cmptch.com.
Malwarebytes also detects the extensions involved. Most of them are under the generic detection name Adware.Cmptch.Generic. You can find a removal guide for GamerSuperstar and a ArcadeTab on our forums.
Caught red-handed
The common pattern that we found for all these extensions is that they advertise their gaming portal heavily, and when clicking on the ads to arrive at the portal, you will instead be prompted to install an extension before you can play. If you visit the portal directly, however, you can jump straight in and start playing without being bothered.
Even though it’s hard to prove that these extensions are all coming from the same source, the similarities between the ways in which they are pushed and their target audience make us believe that they are at least closely-related. We also found similar domains and extensions acting suspiciously, but since we didn’t catch them in the act, we will not list them here.
But rest assured…we’re keeping an eye on them.
IOCs
Chrome extensions:
obpnlclobfjomjabiibfnbfmebenjedp peglehonblabfemopkgmfcpofbchegcl dehhfjanlmglmabomenmpjnnopigplae anaojjlbaalfefdgonnpmcpgpeafkdig eogmpgppidehapppmipeahegomlindkg piblbljcjideclibhpjobcaakomfcdnf kfljkfcdekakneakneabhomcpmgfpbdc flpdiedhjcapelfbeffompkoeilgmkhm
Firefox extension:
{70cfab72-ee99-428a-b5fb-26d924be3acb}.xpi
Domains:
cmptch.com arcadetab.com arcadefrontier.com gameschill.com playziz.com gamerscan.com arcadegala.com videogaminghub.com
The post Malicious gaming extensions: a child’s play to infection appeared first on Malwarebytes Labs.