This fake Chrome extension already has 200,000 downloads

This fake Chrome extension already has 200,000 downloads

This fake Chrome extension already has 200

Internet Downloader Manager is a fake extension for the Google Chrome browser that has already been downloaded over 200 thousand times.

Although it pretends to be a normal download manager, in reality it is an adware, with the usual features : open unwanted links, change the default search engine on the browser, fill the screen with pop-up messages inviting the user to download updates and patches, as well as other unwanted programs.

Many users are misled as there is a legitimate program of the same name, Tonec's Internet Download Manager, which also offers extensions for Mozilla Firefox and Chrome. However, the real extension for Chrome is called the IDM Integration Module. The company itself has addressed the topic in its FAQ, warning that all IDM extensions on the Google Store are fake and should not be used.




Apart from this statement, which is debatable in itself, the instructions provided by the fake extension also cause some perplexity, for example by providing for the installation of other programs after installing the extension.

Furthermore, the reviews on the Google Store are also quite self-explanatory, and users have already reported this adware since 2019, which, together with the tests done by BleepingComputer confirms that you need to stay away from the extension.






Fake Evernote extension injects ads into webpages

Visiting the Evernote plugin page, Chrome does not recognize that it is third-party malware and believes that it is the officially installed extension.


Posing as a real and user-installed add-on, malware hides itself within a Chrome extension that poses as the popular note-taking app Evernote. Unfortunately for the victims, it is far from being a legitimate extension. Security firm Malwarebytes reports that the extension is actually malware-- an executable titled evernote.exe-- that the victim would have had to have accidently opened. After it has been executed, the malware installs a fake Evernote extension into Chrome which then begins serving the victim ads on all the webpages they visit.


It isn't just a matter of an extension appearing to look like another-- Chrome actually believes that the plug-in is the legitimate Evernote extension. By clicking 'visit website,' the user is taken to the official Evernote webpage. There, it does not ask the user to install the app-- again, it believes that the app is already installed, and instead offers the option to launch it.


On the outset, the way the ads are positioned it makes it seem like the ads are coming from the websites themselves, which makes it more difficult for the victim to identify that they have been infected with the adware. This sort of malware also goes to show that users shouldn't trust digitally signed files solely because they're digitally signed-- it doesn't make them anymore legitimate than any other executable:


'A quick look shows the PUP is digitally signed by “Open Source Developer, Sergei Ivanovich Drozdov”, although the certificate has since been revoked by the issuer. This serves as another reminder that you can’t always trust a program just because it’s digitally signed' - Joshua Cannell, security researcher at Malwarebytes

The Chrome extensions window shows that the malware looks and acts (at least on the base level) like any normal extension.


Fortunately, as Malwarebytes reports, the removal of the extension isn't a complicated matter-- it is born like an extension, and it dies like one. All a user would have to do to remove it is to visit the Chrome extensions page (type about:extensions in the omnibar) and click on the garbage can icon next to the Evernote extension. The user would then have to confirm the removal, and once confirmed, Chrome would do the rest.


Source: Malwarebytes via The Inquirer | Images via Malwarebytes