Fake Chrome extension ‘Internet Download Manager’ has 200,000 installs

chrome

Google Chrome extension ‘Internet Download Manager’ installed by more than 200,000 users is adware.

The extension has been sitting on the Chrome Web Store since at least June 2019, according to the earliest reviews posted by users.

Although the extension may install a known and legitimate download manager program, BleepingComputer observed unwanted behavior exhibited by the extension—such as opening links to spammy sites, changing the default browser search engine, and further hounding the user with pop-ups asking them to download more “patches” and unwanted programs.

Dodgy Chrome extension installed by 200,000+ users

A concered BleepingComputer reader reached out to us on seeing a Chrome add-on “running malicious sites by impersonating famous software.”

And their concern seems valid. The ‘Internet Download Manager’ browser extension installed by more than 200,000 users to date doesn’t seem all that innocent.

Chrome extension Internet Download Manager
Chrome extension Internet Download Manager live on Chrome Web Store (BleepingComputer)

There does exist a legitimate Windows program called Internet Download Manager, published by software company Tonec.

Tonec does offer Internet Download Manager extensions for Firefox and Chrome. But, the authentic Chrome extension provided by the company is called ‘IDM Integration Module.’

Further, Tonec’s FAQ specifically warns, “Please note that all IDM extensions that can be found in Google Store are fake and should not be used.”

By contrast, the counterfeit ‘Internet Download Manager’ Chrome extension seems to be maintained by a website called “Puupnewsapp” that claims “it increases your download speed up to 500%” making it a “super software” for downloading games, movies, music, and “large files in minutes.” Sounds promising.

The instructions provided by the knock-off extension are even more perplexing—why does one need to download and install multiple programs after installing the extension?

installation instructions
Installation steps for the extension prompt users to further install programs (BleepingComputer)

Specifically, upon installing ‘Internet Download Manager,’ users are now asked to install an executable from the puupnewsapp website, and additionally download a “Windows patch” ZIP file:

hxxps://www.puupnewsapp[.]com/idman638build25.exe
hxxps://www.puupnewsapp[.]com/windows.zip

The ‘idman638build25.exe’ executable appears to be a valid, signed version of the legitimate Tonec Internet Download Manager.

The ‘windows.zip’ archive analyzed by BleepingComputer, contains both 32-bit and 64-bit versions of NodeJS, and executes JavaScript code to adjust Chrome and Firefox registry settings.

NodeJS file making registry changes
NodeJS file making registry changes for Firefox and Chrome (BleepingComputer)

Alters search engines, promotes spam

What also stood out to us was that installing the extension in a test environment changed the default browser search engine to smartwebfinder[.]com. 

Frequent pop-ups urging the user to install more add-ons, such as for Firefox, were also observed, as was the extension launching third-party sites in the browser.

search engine changed
Default search engine changed by extension (BleepingComputer)

Luckily, reviewers, some from as early as 2019, seem to have spotted the dodgy behavior. Although plenty of (likely inauthentic) reviewers claim to have no issues with the extension.

negative reviews
Multiple reviews call out the “spam” extension (BleepingComputer)

BleepingComputer readers have previously reported issues with similar rogue extensions they’d found on the Chrome Web Store.

The particulars of the counterfeit extension are as follows:

Extension ID: lcdlanlaneooailnebnhamiiieebikid

.crx hash (SHA-256): b4b47730b62592c21368c2546e578342fff8383693e89211155c2d61d88058ba

Web Store URL: hxxps://chrome.google[.]com/webstore/detail/internet-download-manager/lcdlanlaneooailnebnhamiiieebikid?hl=en

BleepingComputer reached out to Tonec for comment, and we have also notified Google of the malicious extension prior to publishing.

A quick search on the Chrome Web Store for “IDM,” “IDM integration add-ons,” or “Download Manager” will yield results containing extensions with hundreds of thousands of user installs, and favorable reviews that may appear promising.

While not all of these extensions may be harmful, users should be cautious when installing new Chrome extensions and verify if these are official versions published by trusted software vendors.

================

Source link

Leave a Reply