{"id":16091,"date":"2019-08-16T14:10:08","date_gmt":"2019-08-16T22:10:08","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/08\/16\/news-9834\/"},"modified":"2019-08-16T14:10:08","modified_gmt":"2019-08-16T22:10:08","slug":"news-9834","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/16\/news-9834\/","title":{"rendered":"QxSearch hijacker fakes failed installs"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Fri, 16 Aug 2019 21:06:16 +0000<\/strong><\/p>\n

Recently, one of the more dominant search hijacker families on our radar has started to display some curious behavior. The family in question is delivered by various Chrome extensions and classified as PUP.Optional.QxSearch<\/a> because of its description in listings of installed extensions, which tells us that \u201cQxSearch configures your default search settings.\u201d<\/p>\n

\n
\"QxSearch<\/a>
<\/figcaption><\/figure>\n<\/div>\n

This branch of the search hijacker family is a clear descendant of SearchPrivacyPlus, which is referenced in our removal guide for a Chrome extension called SD App<\/a>. The Chrome Web Store entries and websites that promote both QxSearch and SearchPrivacyPlus are almost identical. What’s different is that QxSearch tells users that the installation failed or that an extra step is required.<\/p>\n

\n
\"QxSearch<\/figure>\n<\/div>\n

However, despite the message asking users to try again, the extension has already been installed. Curious.<\/p>\n

How can we recognize QxSearch extensions?<\/h3>\n

QxSearch can be found in more than one Chrome extension in the Web Store. We can recognize them by spotting the QxSearch description, which also shows up in the overview section of the store.<\/p>\n

\"QxSearch
QxSearch configures your default search settings<\/em><\/figcaption><\/figure>\n

At the moment, these extensions are installed from the Web Store after a redirect from sites that are served up by ad-rotators. The sites all look similar, showing a prompt that tells users, \u201cFlash SD App required to proceed\u201d and a button marked \u201cBrowse Safely\u201d that leads to the extension in the Web Store.<\/p>\n

\"Typical<\/figure>\n

In the Web Store, another common denominator so far has been the \u201cOffered by: AP\u201d subhead.<\/p>\n

\n
\"offered<\/figure>\n<\/div>\n

During the installation, the \u201cPermissions prompt\u201d will show that the extension reads and changes your data on a number of websites:<\/p>\n

\n
\"number<\/figure>\n<\/div>\n

Using the \u201cShow Details\u201d link will show users that the sites they want to read and change belong to some of the most commonly-used search engines, including Google, Bing, and Yahoo.<\/p>\n

\n
\"show
Bing.com, booking.com, google.com, yahoo.com, and appsearch.xyz are the domains targeted by this search hijacker.<\/em> <\/figcaption><\/figure>\n<\/div>\n

The hijacker intercepts searches performed on these domains and redirects the user to a domain of their own, showing the search results while adding some sponsored results at the top.<\/p>\n

We are not sure whether the behavior of showing a failed install notification is by design or just sloppy programming, but given the fact that the \u201cerror\u201d hasn\u2019t been corrected after a few weeks, this leads us to believe it might be on purpose. <\/p>\n

Looking at the installation process, it looks as if the fail occurs when the extension is due to add an icon to the browser\u2019s menu bar. As a result, these hijackers do not display an icon\u2014a handy way to make them more difficult to remove.<\/p>\n

Protection against QxSearch<\/h3>\n

Malwarebytes removes these extensions and blocks the known sites that promote these extensions. <\/p>\n

\"Malwarebytes<\/figure>\n

It is useless to blacklist the extensions, because a new one is pushed out at least once every day. So instead, we’ll show you some typical trademarks that they have in common so you can recognize them\u2014and avoid them.<\/p>\n

IOCs of QxSearch<\/h3>\n

Search result domains:<\/p>\n