Send in the Clones! (The Chrome Clones, That is)

They say that imitation is the highest form of flattery.

Let’s imagine for a moment that Google Chrome is the coolest kid in the class. All the other browsers look to Chrome to see what it’s wearing, what it brought for lunch and who it’s hanging out with. It’s a powerful trendsetter. Looking for inspiration in his style or presence is understandable and not weird at all.

Chrome’s Doppelganger

But then there is the creepy browser. He wears the exact same clothes and copies the way Chrome talks and moves. Even creepier, he tries to convince all their friends that he actually is Chrome. And really, behind the scenes he is even more insidious than that. Not only is he posing as Chrome, he’s saying and doing malicious things that Chrome would never dream of doing.

Made from Chrome so it tastes like Chrome!

Meet eFast, the malicious browser, built on the Chromium open-source platform. eFast is designed to remove Chrome and hijack its file associations, which means that this new program dictates how files on an infected computer run. Then, the piece de resistance, it fills your computer with adware and redirects web traffic to sites with even more adware and potential malware. It can also, in good malware fashion, track and record your every online move and then phones that information home to any third-party willing to be the highest bidder in closeout sale featuring your data.

The idea of using a browser to foist adware on to computers is nothing new. Browser hijackers, which change the settings on your existing browser to display malicious sites have been around since people realized that they could make money off of redirecting web traffic and by using pop-ups and pup-unders. What’s remarkable here is that eFast does not merely change settings to display its own malicious site, it actually tries to dump out Chrome all together. It then goes into all your file settings, previously set to open in Chrome, and directs them to run in eFast. An unsuspecting user may not even realize that he or she isn’t using Chrome until they connect the dots. By that time serious damage may have already taken place.

Of course, the creators of eFast, ClaraLabs, claim that eFast, just like their other garbage browsers, Unico, Tortuga and BoBrowser among others, is nothing more than a legitimate browser that improves the browsing experience. PC, one of the first outlets to report its findings on eFast points out that “None provide the functionality promised. Adware-type applications such as eFast Browser are designed to generate revenue for the developers. Rather than providing users with valuable functionality, these apps generate intrusive online advertisements (via the ‘Pay Per Click’ [PPC] advertising model), and gather personal data (which is later sold to third party companies).”

eFast is Bundleware

If you find yourself wondering just how eFast makes its way onto user’s computers, understand that eFast is bundleware. In a nutshell, bundleware is any program that is downloaded onto a computer when a user installs wanted, typically free, software. Chances are, the user would have never opted to download such a program so software installation programs trick users into installing these dangerous and unwanted applications.

Is there any silver lining to this adware-laden rain cloud?

It’s true that we hear about incidents like this constantly and it can be very disheartening to feel like everybody and their mother is out to get you.

But there are a few glimmers of hope in this particular example, some of which are illustrated by @SwiftOnSecurity, a prominent infosec and malware Tweeter. He points out that eFast chose the more convoluted method of dumping out Chrome because Chrome itself has become too difficult to hijack – meaning that Chrome is safer than ever.

Another slip of that silver lining may just that, in general, adware needs to find craftier ways of infiltrating computers as security companies have made it much more difficult for adware to find its way on to computers. They have no choice but to grasp at straws, looking for something that might just work.

In fact, having a program like RCS installed would have stopped eFast from ever infiltrating in the first place. In’s article about eFast they noted “How does eFast Browser install itself in the first place? Apparently, it’s just another Potentially Unwanted Program that sneaks itself into software installers. (A program called Unchecky can help will this sort of bundleware.)” (The emphasis is ours.)

So there ya go. Unchecky, which is built into RSC (and just released its latest version which has been updated within the RCS platform as well) would have stopped eFast in its dirty little tracks. If RCS wasn’t installed beforehand and your computer got infected, you can run RCS now and it will allow you to remove it easily.

Leave a Reply