A new bug, affecting the Chrome browser has been found. It allows drive-by installation of applications on user’s handsets without any user-end knowledge. The app can then extract user information and send it to the malicious malware publisher.
Extension Defender A security website reports that the Chrome browser extension bug “allow the company behind it to install an app on your phone without you providing your permission or ever even knowing it was installed.”
The website further comprehended that a company Revjet.io calls itself a “browser extension monetization” service uses code from another website, Vulcon.com which enables the background installations. Vulcon.com is a desktop-to-mobile ad server, which lets developers integrate advertisements into their apps.
It works as, a small part of the code works in the background and waits for the UN-responsive time when user is not using his device to install the app without any notice. Even the confirmation dialog and other permission prompts are also hidden from the user. App developers sometimes pay for the ads which deliver clicks-through and app installs, so the ad server can make money by delivering installation whether user want them or not!
Extension Defender notes that some of the apps used by malware include 3Dnator, FB Auto poker, Post To Tumblr, and Alert Control.
Google has still not responded to the report by Extension Defender and is yet to take some steps to deal with the threat.