Clever "Chrome Remote Desktop" Scareware targeting Macs going around...
Updates will be posted at the bottom
I rarely do write-ups, but this one may be worth it. Many use Google's Chrome Remote Desktop - it's convenient, easy, more secure than several other 'home use' remote desktop tools, etc. After helping clean out a friend's computers, it's apparent to me how there's a phony/fraudulent version out there right now. At least at an initial glance, the 'scareware' seems to be a more clever and enhanced route of a scareware piece that has already been written up by Graham Cluley here and then here.
Some things to keep in mind when reading this post:
- There were multiple computers affected
- The computers were all Macs (although this tactic described could work on Windows as well)
- The primary user is relatively aware of phishing, scams, etc.
Background
This all started when I was using a friend's laptop. While using the laptop, I noticed a pop-up asking to install/upgrade flash (downloading "Flashplayer.dmg")...an aware user would recognize it was shady.
Knowing not to mount the dmg file, I did the typical MalwareBytes scans, other common scans, and attempted to locate specific files to remove, etc. Some traces of malware were found, so they were removed. Unfortunately, cleaning this wasn't that easy.
We eventually noticed the same pop-up again a few hours later. I continue investigating the laptop, while my friend uses a different laptop...both start having the pop-up. Then we notice the iMac desktop starts getting it. I immediately glance at the Chrome Extensions, recognizing Chrome's syncing capabilities - at a quick glance, nothing seemed out of the ordinary. MalwareBytes did not fix any of the computers. Neither did Intego...the nagging pop-up would just keep coming up every few hours on all of the computers.
How To Fix
Once you recognize the problem, it's actually a simple fix. You just need to remove a fraudulent extension (specifically, one posing to be the 'Chrome Remote Desktop' in this case, from the Chrome browser). Yes, you can still run MalwareBytes to be sure afterwards - just remember that it didn't initially pick this up, using the latest definitions at the time of writing. Below are some more details on what made this extension scam clever...
Legitimate Google Chrome Remote Desktop vs Fraudulent Chrome Remote Desktop
Google's legitimate version of the Chrome Remote Desktop is a Chrome "App". The fraudulent version is a Chrome "Extension". What is worrying is that if a user simply searches for "Remote Desktop" or "Chrome Remote Desktop" in the Chrome Web Store, it shows the top 3 Extensions first, followed by the top 3 Themes, finally followed by the top 3 Apps.
The fraudulent version (remember, an "Extension" - so it is at the top) takes 2 of the top 3 results (#2 and #3)...and #1 is unrelated...so the legitimate Google Chrome Remote Desktop is actually nowhere to be found on the top of the page! The fraudulent version also 'works' - to a regular end user, it provided the same remote desktop functionality as the legitimate version.
Below is a screenshot to show how difficult it is to find the legitimate Google Chrome Remote Desktop, without knowing you need to go to the Apps section. Notice how the official Google version is nowhere to be found...instead, the fraudulent #2 and #3 spot is taken by "Chrome Remote Desktop" - however, the developer is "Chrome!Apps" and not "Google".
Multiple Devices Infected
While Chrome's Remote Desktop may be popular - Chrome's syncing capability is even more popular. By syncing extensions across multiple computers, if one computer installed the fraudulent extension, this will then sync to all other Chrome installs where syncing is enabled and the user is logged in. This is how multiple computers were infected causing all of them to have pop-ups requesting Adobe Flash to be updated. (Imagine allowing the Chrome browser + allowing extensions + allowing syncing in a work environment...)
Be Cautious
This has already been reported to Google, so hopefully the extension gets pulled soon and algorithms are re-worked to ensure the legitimate Google versions are the top results in the future...today was the Chrome Remote Desktop, tomorrow may be another popular extension...
Update: Seems the fraudulent extensions have been removed; but now there's already a new "Chrome Remote Desktop" and "Gmail Offline" - this time from "Chrome APPs" (previously "Chrome!Apps").