Adware and PUPs families add push notifications as an attack vector

Adware and PUPs families add push notifications as an attack vector

Some existing families of potentially unwanted programs and adware have added browser push notifications to their weapons arsenal. Offering themselves up as browser extensions on Chrome and Firefox, these threats pose as useful plugins then haggle users with notifications.

A family of search hijackers

The first I would like to discuss is a large family of Chrome extensions that were already active as search hijackers, but have now added a notifications service from a provider hailing from a domain blocked for fraud by Malwarebytes. What that means is you can now expect browser notifications inviting you to come gamble at an online casino or advertisements selling you get-rich schemes that use pictures of celebrities to gain your trust.

This family is detected under the PUP.Optional umbrella, meaning that Malwarebytes flags them for misconduct but recognizes they offer some kind of functionality and are upfront about the fact that they will change your search settings. The third part of Malwarebytes’ detection name usually refers to the name of the extension. So this one is called PUP.Optional.StreamAll.

permissions for the StreamAll extension

The extensions in this family are search hijackers—they redirect users to Yahoo! search results when searching from the address bar. The websites behind all the extensions in this family are presented in three different styles that are completely interchangeable:

version 1

Version 1 is a basic design kindly guiding you through the steps of installing the Chrome extension.

version 2

Version 2 shows a circle that fills with color until it reaches 100 percent and then tells you it is ready to install the extension.

version 3

Version 3 is a bit more “in your face” and lets you know you really shouldn’t miss out on this extension. It does come in a few slightly different color schemes.

The three websites posted above all lead to StreamAll, the same Chrome extension that I have used as an example for this family. In fact, they all redirect to this extension in Chrome’s web store at some point:

streamall in webstore

Another thing the members of this family have in common is a “thank you” screen after installing one of their extensions, already busy pushing promotional deals. This one has a blue background but can also be fully white.

Thank you page

Their offer to receive notifications is made as soon as you reach one of their sites:

These prompts have also been added to member sites of this family that didn’t promote push notifications earlier on.

If you accept this offer you can find the resulting permission in the Settings menu > click on Advanced > under Privacy and Security > select Site settings > select Notifications.

The number of extensions in this family is rather large, but here is a list of removal guides I created for the most active ones at the moment of writing:

open tabs

By active I mean they are being heavily promoted by some of the popular ad-rotators. To achieve this, they are probably paying a pretty penny and you can be sure they want to make good on that—at your expense.

A Facebook spammer

The second threat family I want to discuss is into far more serious business. This family of Firefox extensions is detected by Malwarebytes as Trojan.FBSpammer.

These extensions can be found at sites that try to convince users they need a Flash player update.

notications and flash update

They also ask for permission to send you notifications and—just like StreamAll—they use a provider that is blocked by Malwarebytes for fraud. But in this case, annoying push notifications are the least of users’ worries. As our friends at BleepingComputer figured out, this extension checks users’ Facebook connection and, if the user is logged in, the extension will join some Facebook groups on their behalf and start spamming them.

Lesson learned

While browser push notifications can be annoying, they are easy to resolve, as I explained in detail in my blog Browser push notifications: a feature asking to be abused. But we have seen from the examples above that there are worse things.

Choose carefully which extensions you decide to install, as well as which programs you allow to send push notifications. The extensions in these cases are up to no good—especially the Trojan that will give your Facebook reputation a quick shove into the cellar. And if you have trouble determining which extensions are benign and which are taking advantage of users, you can always count on Malwarebytes to point you in the right direction.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.