Chrome Web Store – Your new one stop shop for malware and spam

While installing some apps and extensions from the Chrome web store I noticed that there were a few well known products delivered by developers totally unknown to me (and Google search). LastPass, AVG AntiVirus, Snapchat, Viber and others were available sporting their trademark name and logo, but from publishers without any affiliation with the actual brand.

Chrome Web Store - Fake AVG AntiVirus

What now? geronimoAPPS is not the developer of AVG AntiVirus you say.

Blatant infringement aside, those were obviously fakes, but unfortunately scores of people are installing them as the publishers got the name and logo right. Further, I suspect many people believe that Google endorses the apps and extensions that ends up in the Crome web store. In reality though, as long as you pay your developer fee you may likely exploit the system to your hearts content.

Intrigued to learn more about their business model I installed a few of the rogue apps and extensions to discover what kind of scam they were pulling. Interestingly enough, it seems they are primarily abusing Google’s own ecosystem.

Here is your recipe for abusing Google services and having them pay you.

  1. Identify a mainstream application with a large user base and steal their name and logo for use with your own app or extension. This will give you far better exposure and increase the number of user installations (protip: users put all their trust in names logos).
  2. Download the Chrome app or extension example code (really, anybody can write an app in five minutes). Now pay attention to how you can open new browser tabs as that will be your key feature.
  3. Register a bunch of domains with GoDaddy (fake identities only, they never check).
  4. Sign up for Google AdSense. This will be the most demanding part of the process so be sure to make everything look legit (this is only to get approval, later on you’ll turn things around).
  5. Now add Google AdSense to all your websites and finalize your app or extension by having it load those websites in new tabs upon installation. Pay your developer fee, upload your app, and publish it in the Chrome Web Store.
  6. Relax and enjoy your new steady stream of ad revenue.

One would assume that it might be easy to remove the offending apps and extensions from the Chrome web store by using the “Report Abuse“ feature, but in reality it’s pointless as the developers will republish immediately after Google takes them down.

If you really want to make life hard for the scammers, the best cause of action would be make a list of the sites loaded by the rogue apps and report them to Google AdSense for policy violation.

You could of course save yourself the trouble altogether by never downloading apps and extensions from untrusted third parties.

Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.