According to Ron Amodeo from ars technica, malware and adware creators have been buying up Google Chrome extensions. Since "one of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version," this allows an extension to bought, so that the new owners can "issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension."
A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hour's worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome's extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer's intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension's user base.
This isn't a one-time event, either. About a month ago, I had a very simple Chrome extension called "Tweet This Page" suddenly transform into an ad-injecting machine and start hijacking Google searches. A quick search for the Chrome Web Store reveals several other extensions that reviewers say suddenly made a U-turn from useful extension to ad-injector. There is even an extension that purports to stop other extensions from injecting ads. Injected ads are allowed in Chrome extensions, but Google's policy states that which app the ads are coming from must be clearly disclosed to the user, and they cannot interfere with any native ads or the functionality of the website.
|Free Hand-Jobs and Superhero Cows: Comic Con's Badvertising|
|"Minority Report"-Style Advertising Coming to a Store Near You|
|Mile-high Madness with Richard Simmons! #RICHROLL|
|Vintage British 3 Speed Bicycle, Very Nice! $30|
|“Eliminating the time needed to stop and re-charge a conventional electric car’s battery.”|
|“Nobody is forcing the participants to stay, of course, but if they leave, they won’t be paid.”|
|“That science fiction future where robots can do what people and animals do may be closer than you think.”|
|Making a Movie Inside a Video Game|
|“This 160-step biochemical process is very well studied, and surprisingly inefficient.”|
|Google Map Shows You the Most Photographed Areas of the World|
|“During this phase of decline, the US was likely to go through a phase of reactionary 'fascism'.”|
|“We’re going to start to see chip implants get the same realm of acceptance as piercings and tattoos.”|
|“Our Internet handlers, not government, are using operant conditioning to modify our behaviour today.”|
|“The shift from fuel and pistons to batteries and electric motors is unlikely to take that long.”|
|“Within 30 years, half of humanity won't have a job. It could get ugly — there could be a revolution.”|
|“After 78 years, the helicopter has been reinvented.”|