Google Chrome extension 'Internet Download Manager' installed by more than 200,000 users is adware.
The extension has been sitting on the Chrome Web Store since at least June 2019, according to the earliest reviews posted by users.
Although the extension may install a known and legitimate download manager program, BleepingComputer observed unwanted behavior exhibited by the extension—such as opening links to spammy sites, changing the default browser search engine, and further hounding the user with pop-ups asking them to download more "patches" and unwanted programs.
Dodgy Chrome extension installed by 200,000+ users
A concered BleepingComputer reader reached out to us on seeing a Chrome add-on "running malicious sites by impersonating famous software."
And their concern seems valid. The 'Internet Download Manager' browser extension installed by more than 200,000 users to date doesn't seem all that innocent.
There does exist a legitimate Windows program called Internet Download Manager, published by software company Tonec.
Tonec does offer Internet Download Manager extensions for Firefox and Chrome. But, the authentic Chrome extension provided by the company is called 'IDM Integration Module.'
Further, Tonec's FAQ specifically warns, "Please note that all IDM extensions that can be found in Google Store are fake and should not be used."
By contrast, the counterfeit 'Internet Download Manager' Chrome extension seems to be maintained by a website called "Puupnewsapp" that claims "it increases your download speed up to 500%" making it a "super software" for downloading games, movies, music, and "large files in minutes." Sounds promising.
The instructions provided by the knock-off extension are even more perplexing—why does one need to download and install multiple programs after installing the extension?
Specifically, upon installing 'Internet Download Manager,' users are now asked to install an executable from the puupnewsapp website, and additionally download a "Windows patch" ZIP file:
hxxps://www.puupnewsapp[.]com/windows.zip
The 'idman638build25.exe' executable appears to be a valid, signed version of the legitimate Tonec Internet Download Manager.
The 'windows.zip' archive analyzed by BleepingComputer, contains both 32-bit and 64-bit versions of NodeJS, and executes JavaScript code to adjust Chrome and Firefox registry settings.
Alters search engines, promotes spam
What also stood out to us was that installing the extension in a test environment changed the default browser search engine to smartwebfinder[.]com.
Frequent pop-ups urging the user to install more add-ons, such as for Firefox, were also observed, as was the extension launching third-party sites in the browser.
Luckily, reviewers, some from as early as 2019, seem to have spotted the dodgy behavior. Although plenty of (likely inauthentic) reviewers claim to have no issues with the extension.
BleepingComputer readers have previously reported issues with similar rogue extensions they'd found on the Chrome Web Store.
The particulars of the counterfeit extension are as follows:
Extension ID: lcdlanlaneooailnebnhamiiieebikid
.crx hash (SHA-256): b4b47730b62592c21368c2546e578342fff8383693e89211155c2d61d88058ba
Web Store URL: hxxps://chrome.google[.]com/webstore/detail/internet-download-manager/lcdlanlaneooailnebnhamiiieebikid?hl=en
BleepingComputer reached out to Tonec for comment, and we have also notified Google of the malicious extension prior to publishing.
"This is a fake extension and it should be avoided. Moreover it may contain spyware and adware," a Tonec spokesperson told BleepingComputer, referring to the counterfeit 'Internet Download Manager.'
"We report it to Google, but it appears again in a short time."
Tonec also urged users to download the aforementioned IDM Integration Module extension that has 20 million downloads on Chrome.
A quick search on the Chrome Web Store for "IDM," "IDM integration add-ons," or "Download Manager" will yield results containing extensions with hundreds of thousands of user installs, and favorable reviews that may appear promising.
While not all of these extensions may be harmful, users should be cautious when installing new Chrome extensions and verify if these are official versions published by trusted software vendors.
Source: BleepingComputer
Edited by Karlston
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.