A constant problem with the Google Play Store is the large number of malicious applications and extensions present at any given time. These applications often capitalize on the popularity of legitimate applications and try to trick users into downloading them. A surprising amount of these are successful due to a combination of users not thoroughly investigating what they download. But the other issue is that Google’s Play Store is not effective at blocking malicious applications.
This is the case with a recent removal of two extensions masquerading as legitimate ad blockers. Google Play Store removed two major offenders that pretended to be the popular AdBlock and Ublock extensions used by millions worldwide. The removal came about thanks to a blog post by Andrey Meshkov of AdGuard in which he alerted Google and the general populous about the two offenders.
Meshkov states in his blog post that despite numerous reports against the imposters, which should have been grounds for removal, the Play Store still did not delete the extensions. This then led the researcher to publish his findings about the kind of activity that the Adblock and Ublock doppelgangers were carrying out once being downloaded from the Google Play Store.
Meshkov explains that the primary issue is cookie stuffing, which is an ad fraud scheme. The server sends requests that seem benign until roughly 55 hours after installation. The usual requests that are processed for ad blocking start getting replaced with requests to urldata.net every time a new domain is visited. In the example shown in the researcher’s data, “teamviewer.com” was the domain interacting with urldata.net. TeamViewer, it should be pointed out, is not part of the scheme but is a victim.
According to the blog post, this is when things start getting interesting:
The response to this request contains a special URL... The extensions will immediately open that URL in the background. A chain of redirects follows this request... What’s going on here, you’d ask? Apparently, this address belongs to Teamviewer’s affiliate program. In response, your browser receives a special “affiliate” cookie. Now if you make a purchase on teamviewer.com the extensions owner will be paid a commission by Teamviewer. This technique is known as cookie stuffing, and this is basically an ad fraud scheme.
With the numerous domains discovered to be in on the scheme, and especially with the scheme being made public, Google finally removed the malicious extensions from the Play Store. Why it took such extreme measures to force the company’s hand is unknown, but it is clear that the Google Play Store is just as vulnerable to malicious activity as it has been in the past.
Featured image: Flickr/ Bram.Koster