Google has cleaned up its Chrome Web Store by removing more than 70 malicious extensions. According to the security firm Awake Security, all the extensions combined have recorded more than 32 million downloads.
70 Chrome extensions with 32 million downloads have been collecting data
Most extensions claim to warn users of malicious site activity or claim to be able to convert specific file types to others. But in reality, the extensions were responsible for stealing browsing history and other sensitive data. The user was obviously not aware of this background data collection.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.
It is unclear exactly who is behind these malicious extensions, as the developers were able to provide false contact details when submitting extensions to Google.
According to Awake Security, this case was the Chrome Web Store’s largest malicious campaign to date. Google was alerted by researchers last month and the extensions have been removed gradually.
Chrome extensions store: new hard rules
Google wants to clean up the Chrome Web Store, the space that lists extensions for Chrome. More than 200,000 extensions are available in total according to Google. The company is tightening the rules for posting add-ons to the Chrome Web Store to combat spam. Until August 27, developers must bring additions to meet the new requirements, otherwise, their extensions will be removed from the store.
Recall that the store has become the focus of the attention of spammers and scammers who have begun to publish low-quality and misleading add-ons that do not perform useful actions.
In order to combat manipulations that prevent us from evaluating the essence of the add-on, such as camouflage for well-known add-ons, providing false information about the functionality and creating fake reviews, the following changes are now available in the Chrome Web Store.
Chrome Web Store new rules:
- Developers cannot submit duplicate extensions anymore. (e.g. Wallpaper extensions that have different names but provide the user with the same wallpapers when installed.)
- Extensions should not use “keyword spam” techniques to flood metadata fields with multiple terms. In addition to having the extension available across multiple categories to improve the extension’s visibility in search results.
- Developers are should not use misleading, improperly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata. Extension metadata needs to be accurate, and Google intends to be strict about it.
- Developers cannot inflate product ratings, reviews, or install counts by illegitimate means any more, such as fraudulent or paid downloads, reviews, and ratings.
- Google will not allow extensions that have only one purpose, such as launching a web page or an app.
- Extensions that abuse browser notifications to spam users with ads or other messages have also been banned.
All developers have until August 27 to fix their extension in accordance with the new rules.