Adblocker Extension for Chrome Hid Monero Miner

An adblock extension for Google Chrome was discovered to contain a JavaScript Monero miner within it. The Chrome extension, known as SafeBrowse, was meant to help users block advertising scripts which force users to wait and look at, or click on, an advertisement before proceeding to a page. These advertisements are often hosted by Adfly or Linkbucks. SafeBrowse has become the first, and so far the only, Google Chrome extension that was discovered to contain a cryptocurrency miner. In the last update to the SafeBrowse Chrome extension, the Coinhive JavaScript Monero miner was secretly bundled with the extension. Coinhive is a project that originated on a German image board. Recently, one of the world’s largest torrenting sites, The Pirate Bay, began running the same JavaScript Monero miner on its website.

While CPU and GPU mining of Bitcoin isn’t really practical anymore, other cryptocurrencies such as Monero are able to be mined using CPUs and GPUs. Monero and other cryptocurrencies based on CryptoNote, such as Fantomcoin, Bytecoin, Boolberry, and DarkNetCoin, use the CryptoNight proof-of-work mining algorithm. These CryptoNote based cryptocurrencies are resistant to ASIC and FPGA mining, which is what has made Bitcoin mining difficult, expensive, and impractical to mine through JavaScript miners like Coinhive. The Coinhive Monero miner only utilizes a user’s CPU to mine Monero coins, and does not utilize a user’s GPU for mining. Now that Coinhive’s miner is becoming more well known, more websites and software are being discovered using the miner to force users into unknowingly earning cryptocurrency for pirates and unscrupulous software providers.

Original reports on the Monero miner being added to the SafeBrowse extension focused only on the version of the extension for Google Chrome, however, the extension is also available for Firefox, Safari, and Internet Explorer. The extension has been classified as a browser hijacker. It is said to change a user’s default search engine and homepage on their web browsers. Removing SafeBrowse from a computer running Microsoft Windows is not as simple as uninstalling the extension. BleepingComputer has a guide on removing SafeBrowse for Microsoft Windows users.

After news broke about the hidden Monero miner inside of the SafeBrowse extension, Google removed the SafeBrowse extension from its Chrome Web Store. But before Google could pull the plug on the SafeBrowse extension, over 140,000 users had installed it. Immediately after the extension was updated to include the Coinhive JavaScript Monero miner, users began leaving bad reviews, saying that the extension was using up their system resources. “Huge CPU usage,” one user commented on the SafeBrowse user reviews on the Google Chrome Web Store. “Overly CPU intensive,” user Joshpower 9 commented in his review of SafeBrowse. Some users had suspected that the updated version of SafeBrowse contained a cryptocurrency miner in it. “There’s a bitcoin miner in this extension,” user Ahmed Shahin speculated in his review of SafeBrowse.

SafeBrowse’s Google Chrome extension is set to automatically update, and so most users who had installed the SafeBrowse extension received the updated extension which contained the hidden Coinhive Monero miner. The version of SafeBrowse which implemented the Coinhive Monero miner is version 3.2.25. When the system’s task manager is brought up, the increase in CPU usage was made easily apparent. Users are also able to detect the increase in CPU usage by looking at the Google Chrome browser’s internal task manager. Both the system task manager and the browser task manager show that the SafeBrowse extension was using around 60% of CPU resources.

The makers of SafeBrowse deny that they are responsible for the update which included the Coinhive Monero miner. They claim that they have not updated the SafeBrowse extension for months, and that the last version they released is version 3.2.1. The SafeBrowse creators are claiming that hackers were responsible for version 3.2.25, the update which includes the Coinhive Monero miner. If it is true that hackers are the ones responsible for the update, that could mean many other extensions for Google Chrome are “infected” with cryptocurrency miners, or worse, backdoors.