Please read this post carefully because you may install adware and malware without knowing. Currently, there are many extensions available on Chrome Web Store which are unauthorized copies of our FreeAddon and SportifyTab extensions. These copy-cat extensions inject adwares and malwares which forcefully change your browser’s search engine and allow access for tons of spamming ads and pop-ups.
For more specific details about the adware-virus distributors and their copy-cat extensions, check out our analysis below:
- How to solve the problem when you find viruses / adwares / malwares in your browser.
- The list of copy-cat extension providers and adware distributors you should avoid.
- How they trick users into installing fake extensions instead of ours.
- Why you should avoid installing the fake extensions that didn’t come from us.
1. How to solve the problem when you find viruses / adwares / malwares in your browser.
You may mistakenly install a fake extension that distributed by an adware provider. In that case, you may be bombarded by unwanted pop-ups ads and search engine hijacks. To solve this issue, here’s our suggestion:
- Step 1: Disable all extensions, then enable one by one and test your browser to find out which extension is the cause of the problem.
- Step 2: To uninstall an extension, if it has an icon in your Chrome toolbar, you can right-click the icon and select Remove from Chrome. If you don’t see the extension’s icon, you can click More icon on Chrome toolbar to open the menu, then go to “More tools” and then “Extensions” (to open chrome://extensions page). Next to the extension you want to remove, click the Remove button (recycle bin icon).
- Step 3: Remove all new tab extensions that look similar to us but not come from FreeAddon.com or SportifyTab.com.
- Step 4: Run Malwarebytes AdwCleaner to remove other potentially unwanted programs (PUPs) and browser hijackers.
- Step 5: Click “Report Abuse” and post reviews on the “fake” Chrome Web Store item.
- Step 6: Share this article to your friends to raise awareness as it may save them someday: Share to Facebook, Share to Google+, Tweet it.
2. The list of copy-cat extension providers and adware distributors you should avoid.
The extensions created by our team must have “offered by freeaddon.com” or “offered by sportifytab.com” text in the provider name. Please do not install potentially harmful extensions from the list below.
(Last updated: 2017.12.02 – We are monitoring Chrome Web Store so the list will be updated as we find)
– simorature.com & mainstire.com is a new malware distributor in late 2017. Their newtab is served from the simorature.com & mainstire.com website. When you open a Chrome new tab, actually you’re openning simorature.com or mainstire.com website. They uploaded 300 extensions on 2017.11.26, all topics were replicated from FreeAddon. Our Chrome Web Store malware monitor system has detected that their extensions got 10,000+ 5-star ratings in a week, right after them had just been uploaded (these ratings were probably fake!). In the same week, we’ve suffered a “fake 1-star ratings” attack, a malware distributor has put 15,000+ one-star ratings in all of our 300 extensions.
– HappyHey.com is one of the biggest adware distributors that we discovered. The first copy-cat extension was uploaded February 2017 in a developer account that had distributed HappyHey’s extensions, so we’ve been monitoring them since then. Till now, we found more than 2000 apps and extensions that have been using same design, covering many keywords and appearing in top Chrome Web Store search results. When their extensions are published on Chrome Web Store, these extensions only serve as a link to redirect users to various websites that they earn money from spamming ads. Then the extensions may suddenly disappear from Chrome Web Store, bundled with adware. Because their extensions don’t provide any value to the users, all of them are under 2.5 rating.
– The other new tab extension brands such as BrandThunder, Tabify… are also injecting ads in their extensions and forcing users to change search engine to use Yahoo, Bing instead of Google. mystart.com uses Yahoo or Bing search engine on their new tab page, however they allow users to restore Google search engine. brandthunder.com (browsefx.com) and tabify.io (other identities: chrome-live-wallpapers.com, chrome-wallpapers.com) is worse, as they hijack search engine and do not even allow users to change back to Google. If you want to avoid search engine hijacking, just don’t use them.
– The copy-cat providers and adware distributors use various developer accounts in different names to upload extensions, such as wallpaperext.net, www.chromenewtab.net, davidglover781, VNN Systems, wallpaper.extentions.dev, HD Wallpapers in new Tab, mail, bob.liga88, instaonlipult, develop.extension, wallpapers.dev.ext, wallpaper.developer.ext, developer.extension, un.lyskova, all4people.by … The adware distributor’s websites (www.chromenewtab.net and wallpaperext.net) are also fake copies of our website.
Example of a copy-cat provider, please check the “offered by” text carefully.
Please avoid installing extensions created by www.chromenewtab.net and wallpaperext.net
3. How they trick users into installing fake extensions instead of FreeAddon’s and SportifyTab’s extensions.
When we started FreeAddon.com and SportifyTab.com in 2016, most of the new tab extensions on Chrome Web Store were either malwares or were bundled with unwanted programs. Born in that context, we wanted to provide Chrome and Chrome OS users with a better experience. Our core values are “fast, simple and clean”.
The extensions we created include all files and images in source code so that users do not download anything when they open a new tab, it makes the browser loads faster and safer. The other new tab extensions created by happyhey.com, mystart.com, brandthunder.com (browsefx.com) and tabify.io (chrome-live-wallpapers.com, chrome-wallpapers.com)… redirect new tab to their website which could be compromised at anytime making your browser vulnerable.
At the moment of this article’s first publish (May 2017), we have 2 millions of users and the number is growing very quickly as fast as 30,000 new users per day. All of our extensions receive good feedback from the users and get 4.5 to 5 rating stars on Chrome Web Store.
Updated 2017.12.02: FreeAddon.com is TOP 1 NewTab creator in Chrome Web Store and be loved by 5 millions of users. We have just suffered from a “fake 1-star ratings” attack. A malware company has used fake Gmail accounts to put 15,000+ one-star ratings in all of our 300 extensions. Most of our extensions are 3 rating stars now.
There is a drawback that our extensions were open-source and very easy to be copied. Few months ago, one (or may be a few more) adware distributor started to steal our design and distribute copy-cat extensions on Chrome Web Store. They stole our extension’s code, replicated our design making a “fake” version that looks similar to us, and then bundled it with adware.
Inside the extensions – Options & Support menu.
Inside the extensions – Search box and other menus.
In Chrome Web Store search results, their HD text looks similar to our HD mark.
An example of a copy-cat extension provider that changed its name to “1.455.00 users” just to trick users to believe that it has millions of users.
The Chrome Web Store item description was a duplication of our extension’s text, and screenshots show copied new tab design.
4. Why you should avoid installing the fake extensions that didn’t come from us.
Our Tech Lead has been working for several anti-virus companies from 2012. We’ve started a fight with malware distributors since FreeAddon was born. We understand the deceptive technique these “copy-cat providers” use to distribute malwares.
(They post fake reviews and ratings for their extensions in order to get ranked on Chrome Web Store.)
Updated 2017.12.02: a new malware distributor (simorature.com & mainstire.com) has put 10,000+ fake 5-star ratings on their extensions right after them had just been uploaded. At the same time, we suffered from 15,000+ fake 1-star ratings attack.
In the picture above, you can see this copy-cat extension had only 33 downloads but it had 63 ratings. It is literally impossible to have more ratings than downloads; therefore, high chance that they are faking it. All of the reviews were written in Russian, thus we believe it was distributed by a big Russian malware distributor. In February 2017, we created a program to scan Chrome Web Store searching for the copy-cat extensions and till now we found more than 300 similar to that one!
Checking the first copy-cat version they uploaded, we found that its source code was copied from FreeAddon with only few lines of code changes (such as domain, extension name…) and few image files were replaced.
After a while, when the “copy-cat extensions” acquire enough users, they started to upload a new version that introduces malwares.
The adware distributor may un-publish the extensions that were bundled with malware, for them to avoid users from reporting to Google. When the user clicks the “report abuse” button it will open a “404 not found” page, but the malware is still in his browser until he uninstalls the fake extension. After a while many users will uninstall the extension, and so they will need to acquire more users. Therefore, they will temporarily remove the malware and republish the extension again. It would be a never ending story unless Google finds out. Our tester had installed the copy-cat extensions and monitored them day by day. We discovered this spam technique and reported it to Google hoping that it will be fixed soon.
Thank you for reading,
FreeAddon.com & SportifyTab.com Team.