This nasty malware is infecting every web browser — what to do now

Malware
(Image credit: Shutterstock)

A gang of crooks is infecting Chrome, Firefox, Edge and other browsers with malware that hijacks search results with ads and sometimes even steals user passwords and other login credentials, Microsoft said yesterday (Dec. 10) in a blog post. 

The malware strain, which Microsoft calls Adrozek, infects Windows machines via "drive-by downloads" that try to get through browser defenses as soon as a browser loads one of more than 2 million malicious web pages. 

The malware, which constantly changes its code to avoid traditional antivirus detection, installs itself as what seems to be a normal audio-related program.

"At its peak in August, the threat was observed on over 30,000 devices every day," Microsoft said, adding that the malware campaign is still operating. "End users who find this threat on their devices are advised to re-install their browsers."

Adrozek specifically targets Mozilla Firefox, Google Chrome, the new Microsoft Edge browser and the Yandex browser, widely used in Russian-speaking countries. But as the latter three all are based on the Chromium open-source browser, other browsers such as Brave, Opera and Vivaldi should also be considered vulnerable.

You'll be able to tell you're infected if you get a whole lot of weird-looking web links in your search results, as in the images below. The links aren't necessarily malicious, but the crooks behind Adrozek get a few pennies every time someone clicks on one of them.

Screenshot comparison of regular search results and search results with ads injected by Adrozek malware.

Screenshot comparison of regular search results and search results with ads injected by Adrozek malware. (Image credit: Microsoft)

How to get rid of and avoid Adrozek malware

Normally, you can get rid of browser-hijacking adware if you can reset Chrome or reset Firefox

But Adrozek burrows deep into the browsers, altering or mimicking legitimate extensions, switching off security protections, disabling automatic updates and even altering Registry entries and creating a separate Windows service to run independently, so getting rid of it requires a lot more. 

You'll have to delete Firefox and all Chromium-based browsers entirely (make sure you save your bookmarks first), run a malware scan with your choice of the best antivirus software, reboot the PC, run the malware scan again and then reinstall your browsers and import your saved bookmarks. 

To avoid Adrozek infection, keep your browsers up-to-date at all times and, well, use one of the best antivirus programs. 

Such drastic removal actions might not be entirely justified if Adrozek simply added dodgy search results. Perfectly legal if ethically dubious "unwanted programs" do this all the time. 

But because Adrozek actively steals saved passwords from Firefox, and disables automatic updates and security settings on all browsers, it qualifies as honest-to-goodness malware and needs to be removed ASAP.

"While the malware's main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allow attackers to gain a strong foothold on a device," the Microsoft blog post said. "The addition of credential-theft behavior shows that attackers can expand their objectives to take advantage of the access they're able to gain."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Malware & Adware
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
PayPal logo on iPhone
Watch out! Scammers are using this PayPal setting to take over your PC
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
Latest in News
(L-R) Josh Hartnett as Cooper and Ariel Donoghue as Riley in "Trap"
Netflix top 10 movies — here’s the 3 worth watching right now
iOS 19 logo on an iPhone
Apple WWDC 2025: iOS 19 and everything we know so far
Siri
Siri 2.0 features reportedly only working ‘two-thirds to 80% of the time’
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 16 (#644)
Nintendo Switch 2
New Nintendo Switch 2 FCC filing suggests this beloved Nintendo controller could make a comeback
(From L to R) Rohan (Nik Dodani), Josh (Brandon Flynn), Dorothy (Edie Falco), John (Dean Norris), and Liddie (Lisa Kuthrow) in The Parenting
Max top 10 movies — here’s the 3 worth watching right now
  • Kcrowz
    You say that the crooks behind Adrozek are paid for each click on their "weird-looking" web links, and you show a screenshot of these links, which appear to be Xbox pages. Are those payments coming from Xbox? I mean, if you assume that their income is derived from the companies that show up in the search, it would be pretty easy to "follow the money" and find out who the crooks are. Or are the weird links themselves to fake pages? Just curious...
    Reply
  • Bahus
    Kcrowz said:
    You say that the crooks behind Adrozek are paid for each click on their "weird-looking" web links, and you show a screenshot of these links, which appear to be Xbox pages. Are those payments coming from Xbox? I mean, if you assume that their income is derived from the companies that show up in the search, it would be pretty easy to "follow the money" and find out who the crooks are. Or are the weird links themselves to fake pages? Just curious...

    Those links aren't legit Xbox links and they are not paid by Xbox. The links are to fake websites pretending to be Xbox. Probably serving more malware. The 'download and download free' is a warning sign' as Xbox and Microsoft would never advertise like this.
    Reply