Google has removed two extensions from its Chrome app store “due to the way they were serving ads to users.” This action comes after app developer Amit Agarwal announced in a blog post that he had sold his popular extension “Add to Feedly” to what turned out to be an adware company. The other app removed from the store, “Tweet This Page,” was similarly sold by its creator.
According to Google’s developer program policies, an extension can display its own advertisements to users, subject to a number of conditions. Among them, the extension must clearly express to users that it displays advertisements and must not try to mimic website ads. But the new owners of both Add to Feedly and Tweet This Page have violated these rules by adding very intrusive and hard-to-identify ads.
Add to Feedly, for instance, was updated to replace the hyperlinks in a web page with “affiliate links.” When clicked, the link takes a user to an advertiser’s site and informs the advertiser of who created the link—in this case the adware owner. The advertiser then pays the adware owner for driving traffic to their site.
Meanwhile, Tweet This Page has been redirecting Google, Bing and Yahoo! searches to searchgist.com, undoubtedly making a profit in the process.
While these violations of Google policy may be quite annoying and make the apps themselves unusable, there is the potential for much worse. Google extensions update automatically, and only ask for user permission if the app requests additional permissions. This means that companies can purchase apps and update them to include malicious code without the user ever knowing.
Roman Skabichevsky, the ex-owner of Tweet This Page, worries that many more harmful things could be done with an extension. For instance, they could be set up as spyware to steal passwords and personal data. More originally, Skabichevsky theorizes that an extension could hijack the browser to take part in a direct denial of service (DDoS) attack, in which many requests are made for information from a sever, exceeding its capacity and preventing legitimate requests from being fulfilled.
Google had been working to combat the potential for malicious extensions to enter the app store since before these high-publicity cases; new policies to be implemented by this June will prevent an extension from performing more than one task. Touted as a way to bring extensions back to their “simple and single purpose… nature” and maintain a fast and clean browsing experience, this new policy will also make it significantly harder for malware to be packaged into extensions. In the meantime, there is always the “Extensions Update Notifier,” yet another extension which will at least warn you when any of your other extension had a (probably beneficial) update.
Leave a Reply