Google Play Store removes fake ad blockers downloaded by millions

A constant problem with the Google Play Store is the large number of malicious applications and extensions present at any given time. These applications often capitalize on the popularity of legitimate applications and try to trick users into downloading them. A surprising amount of these are successful due to a combination of users not thoroughly investigating what they download. But the other issue is that Google’s Play Store is not effective at blocking malicious applications.

This is the case with a recent removal of two extensions masquerading as legitimate ad blockers. Google Play Store removed two major offenders that pretended to be the popular AdBlock and Ublock extensions used by millions worldwide. The removal came about thanks to a blog post by Andrey Meshkov of AdGuard in which he alerted Google and the general populous about the two offenders.

Meshkov states in his blog post that despite numerous reports against the imposters, which should have been grounds for removal, the Play Store still did not delete the extensions. This then led the researcher to publish his findings about the kind of activity that the Adblock and Ublock doppelgangers were carrying out once being downloaded from the Google Play Store.

Meshkov explains that the primary issue is cookie stuffing, which is an ad fraud scheme. The server sends requests that seem benign until roughly 55 hours after installation. The usual requests that are processed for ad blocking start getting replaced with requests to every time a new domain is visited. In the example shown in the researcher’s data, “” was the domain interacting with TeamViewer, it should be pointed out, is not part of the scheme but is a victim.

According to the blog post, this is when things start getting interesting:

The response to this request contains a special URL... The extensions will immediately open that URL in the background. A chain of redirects follows this request... What’s going on here, you’d ask? Apparently, this address belongs to Teamviewer’s affiliate program. In response, your browser receives a special “affiliate” cookie. Now if you make a purchase on the extensions owner will be paid a commission by Teamviewer. This technique is known as cookie stuffing, and this is basically an ad fraud scheme.

With the numerous domains discovered to be in on the scheme, and especially with the scheme being made public, Google finally removed the malicious extensions from the Play Store. Why it took such extreme measures to force the company’s hand is unknown, but it is clear that the Google Play Store is just as vulnerable to malicious activity as it has been in the past.

Featured image: Flickr/ Bram.Koster

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Reports say eBay port scanning incoming visitors. Why?

According to several reports, eBay may be port scanning visitors to its site. While this…

1 day ago

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

2 days ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

2 days ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

2 days ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

3 days ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

3 days ago