On Friday, infosec celebrity Swift on Security pointed out a new piece of adware called the “eFast Browser.” It does the kind of malicious crap that we’ve all seen quite often over the years: throwing pop-up and pop-under ads on your screen, putting other ads into your web pages, pushing you towards other websites with more malware, and (of course) tracking your movements on the web so that nefarious marketers can send more crap your way.
But what’s nefariously intriguing about this software is that it isn’t trying to hijack your current browser, it’s straight-up replacing it. As reported by Malwarebytes, eFast tries to delete Chrome and take its place, hijacking as many link and file associations as it can. Its icon and window looks a lot like Chrome’s and it’s based on the open source Chromium project in the first place, so it acts a lot like Chrome too. The software comes from a company calling itself Clara Labs, which is actually behind a slew of similar browsers with names like BoBrowser, Tortuga, and Unico.
The weird thing about this software is that it’s actually kind of good news, security wise. As Swift on Security points out, it’s easier for malware to just try to replace your browser than it is to infect it. That’s because Chrome moved toward locking down extensions by requiring that they come through Google’s web store (and thereby Google’s code review and code signing). Mozilla’s Firefox and Microsoft’s Edge browsers are moving in the same direction. So while replacing your whole browser isn’t totally new for malware, the fact that it’s the best vector for attack now might be.
According to PCrisk, eFast and its ilk try to get on your computer by burrowing themselves into the installers for free software from dubious sources on the web. It should be relatively easy to avoid installing it and, fortunately, should also be relatively easy to uninstall if you’ve found it on your computer.