Google fights spammy extensions with new Chrome Web Store policy

Developers use a number of ways to breed extensions like a bunch of spam bunnies in Google’s Chrome Web Store, which is the biggest extension catalog online.

For example, sometimes they stuff the store with multiple extensions that do the same thing. Like, say, wallpaper extensions that have different metadata but provide the exact same wallpaper when installed.

Well, those developers can say goodbye to that and a slew of other run-arounds: on Wednesday, Google banned them in a set of new rules for the Chrome Web Store, which it published as a new Chrome Web Store spam policy within its Developer Program Policies.

Here’s an FAQ about the new policy, and here’s the full list of what’s now verboten:

  • Repetitive Content: No more copypasta! No more submitting multiple extensions that provide duplicate experiences or function. Besides the wallpaper example is data or format converters listed as multiple extensions – for example, Fahrenheit to Celsius, Celsius to Fahrenheit – that all direct the user to the same multi-format converter web page.
  • Keyword Spam: Google’s no longer going to put up with blabby, redundant extensions: specifically, those with “misleading, improperly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension’s description, developer name, title, icon, screenshots, and promotional images.”In other words, don’t stuff the description full of keywords, including brand names. The maximum number you can repeat a keyword is now five. To provide a longer list of brands or websites, developers can provide a link for users or embed the list in one of the extension’s promotional screenshots. No irrelevant information, either: for example, a sports team wallpaper shouldn’t include team stats and history in the extension’s description.Make it clear and well-written, Google said, and leave out unattributed or anonymous user testimonials: they’re no longer allowed in extension descriptions.
  • User Ratings, Reviews, and Installs: Developers are forbidden from manipulating their extensions’ placement in the Chrome Web Store by doing things like cooking up bogus downloads, reviews or ratings. That means you can’t review your own baby, and you can’t get reviews from other developers or people affiliated with the publisher.
  • Functionality: Extensions now have to have some purpose besides installing or launching another app, theme, webpage, or extension.
  • Notification Abuse: Google disallows extensions that bleat out spam, ads, promotions, phishing attempts or other types of unwanted messages.
  • Message Spam: The new policy prohibits extensions that send messages on a user’s behalf without the user confirming the content or the recipients.

Beyond annoying, they can be dangerous

This is just the latest attempt to mop up the sprawling Chrome Web Store and the many ratty extensions that lurk in its aisles, some of which are not just spammy – they can also be malicious. For example, a few weeks ago, Google found itself sweeping out a collection of 49 malicious Chrome extensions that MyCrypto researchers had caught pickpocketing crypto wallets.

You can see where those nasty extensions could have inspired Google’s new extension spam policies: for one, some were rated up by a network of bogus reviewers dishing out fake 5-star reviews. The reviews were cursory and low-quality, such as “good,” “helpful app,” or “legit extension.”

As well, one of the extensions – MyEtherWallet – had the kind of repetitive language that Google’s now outlawed. Harry Denley, MyCrypto Director of Security, calls it “copypasta”, with the same review posted about 8 times and purportedly authored by different users. All of the reviews shared the same introduction into what Bitcoin is and an explanation of why the (malicious) MyEtherWallet was their preferred browser extension.

Before that, in February, Google abruptly yanked 500 Chrome extensions off its Web Store after researchers discovered they were stealing browsing data, pulling off click fraud and serving up malvertising. The extensions had installed themselves on millions of users’ computers.

At the time, our advice was to not assume that, just because an extension is hosted from an official web store, it’s safe to use.

Our advice:

  • Install as few extensions as possible and, despite the above, only from official web stores.
  • Check the reviews and feedback from others who’ve installed the extension.
  • Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
  • Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.