December 12, 2020 at 3:08 p.m.
- A new malware attack masquerading as a harmless audio app can steal passwords and inject ads into search results.
- Known as Adrozek, the malware can infect Chrome, Firefox, Edge, and other browsers running on Windows 10.
- macOS is not known to be affected by Adrozek.
- Firefox users should be especially vigilant, as the malware can steal saved passwords from the browser.
- The Adrozek malware has been in circulation since at least May of 2020.
Adrozek Malware Infects Popular Windows 10 Browsers
macOS users can rejoice. With all of the bad news about security flaws in Apple products, the latest round of malware doesn’t seem to affect the Mac at all. Dubbed “Adrozek”, the latest Windows 10 malware inserts additional ads into search results while stealing saved passwords from Firefox users.
Western Europe and India seem to be hotspots for the “browser modified” malware. Using one of the oldest forms of attacks, Adrozek takes a sophisticated twist. Unlike other browser modifier attacks, this one can infect multiple browsers and steal user credentials in some cases.
Adrozek’s goal is to profit from affiliate programs. By hijacking search results, the malware injects ads that benefit its creator.
This latest malware attack harms users by tampering with search results, and, in the case of Firefox, enabling hackers to steal saved passwords. Although it’s possible to remove the malware, it’s best to change all saved passwords after removing it if you use Firefox.
Adrozek Infects Windows 10 Machines With “Drive-By Download”
The latest bout of Windows malware takes advantage of “drive-by” downloads, which, unfortunately, Microsoft still hasn’t patched. The attack generates an installer name on the fly, helping it evade less sophisticated security software.
There are two types of drive-by download attacks on Windows 10. One method tries to trick the user into installing an app. The app may seem legit; however, it contains a malicious payload. The other, more dangerous drive-by attack installs files without user consent. Adrozek appears to be the former type of drive-by download, where users are encouraged to download an audio app disguised as malware.
How to Avoid Adrozek
The best way to avoid Adrozek is to use common sense. Don’t download and install software from an unknown source. Specifically, the Adrozek installer presents with an executable file named “setup_<application name>_<numbers>.exe”. For example, if you see an executable named “setup_audioapp_2376374627.exe”, it may be the Adrozek malware. The second and third sections of the file name are generated and will be different from this example. Don’t install anything like this!
Once the installer runs, it deploys the payload, which disguises itself as an audio app. Sites attempting to infect browsers with the malware will likely offer a free audio app. The site may claim the audio app is necessary to access content. Avoid installing any suspicious audio software with questionable file names.
Adrozek propagates through only 159 domains. This makes it highly unlikely that you will encounter the virus in routine web browsing. According to Microsoft, malicious websites distributed the malware to hundreds of thousands of users. While this may seem like a lot, there are over a billion Windows 10 users worldwide. It’s highly improbable that Adrozek has infected your computer.
Microsoft Defender can now recognize the malware. Microsoft’s security software comes standard with Windows 10. As long as you haven’t deactivated Microsoft Defender, it should prevent you from installing the Adrozek malware.
How to Detect Adrozek
It’s easy to detect an Adrozek malware infection. Simply search for the term “xbox”. If you see search results with extra ads, as shown on the right side of the image, your system is infected. If you see expected search results on the left side, your machine is clean.
India and Western Europe are ground zero for Adrozek malware. If you live in these areas, it’s best to inspect your browsers as soon as possible.
How to Remove Adrozek
Microsoft recommends re-installing the infected browser to remediate Adrozek malware. The company also advises running Windows 10 updates automatically to ensure that software is up-to-date. Firefox users infected with Adrozek should change all saved passwords, as the browser retains them after re-installation.
Microsoft claims that Microsoft Defender Anti-Virus, pre-installed with Windows 10, can detect Adrozek using machine learning. It’s unclear why hundreds of thousands of users ended up with the malware. It’s possible that their systems were out of date. Microsoft Defender might not have recognized the malware, at least in its early days.
Adrozek reminds us that we must all be vigilant and look out for malware. Because we won’t know where it will come from next, it’s best to err on the side of caution. If you’re about to install some unknown app, do a little research about it and the domain hosting the download.
If a website doesn’t have a valid SSL certificate, don’t download its software. This usually means that the domain is too shady to be issued an SSL certificate from a trusted provider. Unfortunately, you can’t always trust SSL because some domains can generate valid SSL certificates and still distribute malware. If you’re not tech-savvy, your best bet is only downloading software from the Microsoft Store.
Use Google Instead of Bing
Google is very adept at de-indexing malicious sites. In my own experience and research, bad actors can easily manipulate Microsoft Bing. Using Google, you’re less likely to encounter a malicious site, which should minimize any drive-by malware installation attempts.
If you use the Edge browser on Microsoft Windows, it defaults to using Bing. Here’s how to configure Microsoft Edge to use Google instead of Bing:
- Launch Microsoft Edge
- Click the “…” button on the top right of the browser
- Click on Settings
- Click on Privacy & Services on the left Settings panel
- Scroll to the bottom of the screen and click on Address Bar
- Change “Search engine used in the Address bar” to Google.
