Chrome Extension Header

Distributors of unwanted Chrome extensions are coming up with new, sneaky, and simple methods to trick users into installing their extensions now that Google has banned inline installs.

In the past, unwanted extension purveyors would create deceptive landing pages that try and trick users into installing an extension. These pages would pretend to be security checks, prompts that a download is ready, or simply display annoying javascript alerts that would not go away. 

Ultimately, based on some action such as clicking the install button or simply trying to close an alert, the site would attempt to perform an inline install of the extension directly from their site rather than from the Google Chrome Web Store. 

Deceptive page pushing a Chrome Extension
Inline install of a Chrome Extension

An inline install is when a distributor offers an extension directly from a site under their control rather than the Chrome Web Store. Inline installs have been heavily abused by scammers trying to trick users into installing unwanted extensions via deceptive methods.

Due to this Google has started to deprecate the use of this feature.

⥤  Starting today, inline installation will be unavailable to all newly published extensions. Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install() function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.

⥤  Starting September 12, 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.

⥤  In early December 2018, the inline install API method will be removed from Chrome 71.

At the current stage of the deprecation, no existing or new extensions can use inline installs and all extensions must now be installed directly from its associated Chrome Web Store page.

Ban inline installs? No problem

The banning of inline installs means that Chrome extensions have to be installed directly from the Chrome Web Store. To get past this, extension developers are simply opening a new window that opens the extension's page and resizes the window so its integrated into their landing page.

For example, below is a landing page for an extension that claims it lets you access popular television sites from your browser. Not sure what they are talking about, but the description on the Chrome Web Store page simply states they will display advertisements on pages you visit.

If a user clicks on the "Start Now" button, the site creates a new window to the corresponding Chrome Web Store extension page, but sizes it so that it is integrated into the landing page and hides most information other than the title and the add button. This allows them to show the Add to Chrome button without a user seeing a description, reviews, and the amount of users who have installed the extension.

As far as the visitor is concerned, this provides a similar experience as inline installs and allows unwanted extension distributors to promote their products in a misleading manner.

With this said, when installing Chrome extensions only do so by going directly to the Chrome Web Store where you can see the full description, amount of reviews, rating, and more. This way you know what you are getting into before installing an extension that may regret later.

Related Articles:

Google's new AI search results promotes sites pushing malware, scams

Google fixes Chrome zero-days exploited at Pwn2Own 2024

Free VPN apps on Google Play turned Android phones into proxies

Google: Spyware vendors behind 50% of zero-days exploited in 2023

An AI-based Chrome Extension Against Phishing, Malware, and Ransomware