Bogus Apps Hijack Chrome, Tumblr
An 'Angry Birds' knockoff that might hijack your Chrome browser settings.
CREDIT: Chrome Web Store
Google's Play Store is often criticized for not screening apps destined for the Android mobile platform. But it's not the only Google-run app store to have security problems.
Malicious apps in the Google Chrome Web store that pretend to be browser-based versions or knockoffs of popular mobile games such as "Angry Birds" and "Bad Piggies" have been downloaded by 90,000 users, according to Barracuda Networks. The malicious apps replace advertisements on popular websites with ads of their own.
Once on a victim's computer, the app asks the user for unlimited online access — something an in-browser game should have no use for — and replaces ads on targeted sites such as MySpace, Yahoo, IMDb, Disney, MSN and eBay with its own set of ads.
The phony ads often don't fit properly into the ad spaces, sometimes only taking up half a banner width or cropping themselves awkwardly. Although the malicious apps make Chrome behave in an unauthorized manner and steal ad space from companies that have paid for it, they don't do any actual harm to users' computers.
When in doubt, fake it
The fake apps usually aren't even comparable to their mobile counterparts. A list of seven phony "Bad Piggies" apps is available from Barracuda, which first came across the issue when the security company tested the apps in a controlled environment.
A quick search in the Chrome Web store for one of the most egregious fake-app peddlers — playook.info — revealed nearly 50 games published by that developer, including knockoffs of Nintendo games that have never appeared on any non-Nintendo platform. (Some of the games were removed from the Chrome Web store today.)
It doesn't look like Google is doing anything to prevent phony apps from appearing in the Chrome Web store. Searching for "Rovio," the name of the legitimate "Angry Birds" developer, results in 12 different apps, only one of which is real.
Searching for "Angry Birds" results in far too many results to count — not just variants of Rovio games such as "Angry Birds," "Angry Birds Space," "Angry Birds Seasons," "Angry Birds Rio" and "Bad Piggies," but dozens of other games that have nothing to do with the franchise.
Meanwhile, Rovio's website lists exactly one game that's been ported to the Chrome Web store — the original "Angry Birds."
I'll Tumbl for ya
Tumblr's blogging platform has its own app issue to contend with. GFI Labs reports that an add-on called "ProfileStalkr" promises to show victims how often other users visit their blogs, but actually automatically posts spam to their account.
The app, which asks for "read and write" privileges, will bombard a blog's followers until the owner notices. The clever scammers can still post spam even after users change their passwords by taking advantage of Tumblr's post-by-email feature, which must be reset in addition to the password change. Users must also revoke the application's access in their Tumblr settings.
When adding apps and plug-ins to your browser, always look at the permissions an app is requesting with a critical eye. Make sure you recognize the name of the developer and remember that apps such as games usually have no business connecting to third-party websites.
Follow Ben on Twitter @benkwx.