Google Play Store removes fake ad blockers downloaded by millions

A constant problem with the Google Play Store is the large number of malicious applications and extensions present at any given time. These applications often capitalize on the popularity of legitimate applications and try to trick users into downloading them. A surprising amount of these are successful due to a combination of users not thoroughly investigating what they download. But the other issue is that Google’s Play Store is not effective at blocking malicious applications.

This is the case with a recent removal of two extensions masquerading as legitimate ad blockers. Google Play Store removed two major offenders that pretended to be the popular AdBlock and Ublock extensions used by millions worldwide. The removal came about thanks to a blog post by Andrey Meshkov of AdGuard in which he alerted Google and the general populous about the two offenders.

Meshkov states in his blog post that despite numerous reports against the imposters, which should have been grounds for removal, the Play Store still did not delete the extensions. This then led the researcher to publish his findings about the kind of activity that the Adblock and Ublock doppelgangers were carrying out once being downloaded from the Google Play Store.

Meshkov explains that the primary issue is cookie stuffing, which is an ad fraud scheme. The server sends requests that seem benign until roughly 55 hours after installation. The usual requests that are processed for ad blocking start getting replaced with requests to every time a new domain is visited. In the example shown in the researcher’s data, “” was the domain interacting with TeamViewer, it should be pointed out, is not part of the scheme but is a victim.

According to the blog post, this is when things start getting interesting:

The response to this request contains a special URL... The extensions will immediately open that URL in the background. A chain of redirects follows this request... What’s going on here, you’d ask? Apparently, this address belongs to Teamviewer’s affiliate program. In response, your browser receives a special “affiliate” cookie. Now if you make a purchase on the extensions owner will be paid a commission by Teamviewer. This technique is known as cookie stuffing, and this is basically an ad fraud scheme.

With the numerous domains discovered to be in on the scheme, and especially with the scheme being made public, Google finally removed the malicious extensions from the Play Store. Why it took such extreme measures to force the company’s hand is unknown, but it is clear that the Google Play Store is just as vulnerable to malicious activity as it has been in the past.

Featured image: Flickr/ Bram.Koster

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Azure DevOps Wiki: Manage your project documentation and collaboration

Not being able to find project documentation is way too common. Use Azure DevOps’ built-in…

2 days ago

Samsung Unpacked 2020: Galaxy S20, Galaxy Z Flip, and more

Samsung is again the first major company to roll out new smartphones in the new…

2 days ago

PhotoSquared data leak exposes users’ photos, information

PhotoSquared has experienced a data leak, mainly because the popular U.S.-based photo app failed to…

2 days ago

Moving data from an Azure VM to Storage Account with AzCopy

Here’s an elegant and modern way to move data from your Azure virtual machine to…

3 days ago

A lot not to like: Analysis of recent Facebook data breach

The effects of the recent Facebook data breach are still being felt. In this new…

3 days ago

Exchange 2019: Building an environment from scratch

Are you finally ready to take the plunge into Exchange 2019? If you are building…

3 days ago