Google scans Chrome Web Store submissions for malware

Google has started to scrub Chrome Web Store submissions before they get a chance to muck things up.

The update, known as Enhanced Item Validation, was announced last week on Google’s Chrome developers blog.

The process may hold up submissions, Google says, but no cause for freak-out. The scan shouldn’t ever take more than an hour, it says – time well spent for the greater security good:

Starting [19 June] in the Chrome Web Store, you might notice that your item is not broadly available immediately after you publish it.

Don't panic - we are just adding additional checks to keep our users secure. Most items will be publicly available within several minutes of publishing, however it could take up to 60 minutes for the scan to complete.

Unless we see something worrisome, most items should be publicly available several minutes after publishing, almost always within 60 minutes.

As it is, Google takes justifiable pride in the level of security in its Chrome browser and the Play app store.

Google’s Pwnium 2013 contest saw the company walk away with an only partially-pwned Chrome OS.

But it goes without saying that Chrome’s not perfect.

Google patched four flaws – three of them high-risk – in the OS in April and wound up paying $31,336 to the researcher who spotted three of them.

The flaws were all found in the O3D plug-in: a Google-crafted plugin used to create interactive 3D graphics applications that run in browser windows or in an XML User Interface (XUL) desktop application.

And as InfoSecurity Magazine pointed out, the browser got a bit more bad security publicity last week when it was found to be vulnerable to camjacking – i.e., clickjacking aimed at taking over a webcam.

The exploit, as carried out by habrahabr, involved Chrome and its implementation of Flash (which predates a 2011 fix).

Google says that the new malware scan in the Chrome Web Store won’t require any action on the part of developers.

After publishing an item in the store, the developer dashboard will let developers know that it’s in the process of being published, and developers can cancel at any point during the scan if they want to tweak the item.

The malware scan is a logical next step to follow a number of changes Google recently made to its Android Play Store ecosystem.

To wit: in April, Google instituted an official policy on sneaky “off-market” updates in the Android Play Store, which in turn came on top of putting a rudimentary antivirus in place within the OS and a ban on ad blockers.

Scanning apps for malware is yet another smart move to keep things safe for users and developers, as Google is happy to point out:

We’re always looking for ways to increase the security for our users and developers, because a trusted platform becomes more widely adopted.

Images of virus cartoon and smartphone malware courtesy of Shutterstock.