Firefox Spyware Add-On Adobe Flash Player 0.2

Martin Brinkmann
Sep 1, 2009
Updated • Feb 15, 2015
Firefox, Firefox add-ons

Security researchers over at Trendmicro have discovered a spyware that is installing itself as an add-on in the popular web browser Firefox.

The add-on, which is then listed in the Firefox add-on manager, goes by the name Adobe Flash Player 0.2. This add-on uses a description that links itself to Adobe Flash Player 10 which makes it look legit on first glance.

Only the low version number and the fact that it is listed under extensions and not plugins may cause suspicion by Firefox users who pay attention.

The majority of users on the other hand may not pay attention to the version number at all assuming that this is just part of Adobe Flash Player now.

The spyware add-on itself is distributed through forums and websites but not the main Firefox add-on repository. Users are once again reminded to only install add-ons from trustworthy sources.

The spyware add-on injects ads into Google search results pages. More disturbing than that is the fact that the Google search history gets transferred to a third party website that is (most likely) run by the developers of the spyware add-on. This means that every Google search query is transferred to the third party server where it is processed and likely sold to the highest bidder or used to display targeted ads to the user.

Trendmicro suspects a change in criminal behavior. The web browser that was targeted the most in past years was Microsoft's Internet Explorer.

The massive number of Firefox  usersmakes it the second most popular web browser after Internet Explorer and some spyware developers may have decided that the critical mass is large enough to develop spyware for that web browser as well. (Via Trendmicro, thanks Jojo for the news).

Update: The situation is about to change. Mozilla has announced protections against third party add-on installations in the Firefox browser that can prevent the majority of insertions in the browser.

Firefox users are still asked to only use the official Mozilla Add-on repository for add-on installations.

Red flags should go up if an add-on is only available on third party websites and not the official Mozilla site. Mozilla checks every add-on, and even every new version of that add-on, before it becomes available publicly in the repository.

Update 2: Firefox blocks add-on installations from third-party sites right now but gives users options to override this to install add-ons anyway. The organization announced that it plans to introduce add-on signing requirements in 2015 to deal with the issue once and for all.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Doc said on September 2, 2009 at 6:58 pm

    So who is collecting the search results? Can we trace it back to an author so the authorities can press criminal charges? Will Mozilla blacklist this extension (via checksum) so it CAN’T be installed? What can we do?

    1. Martin said on September 2, 2009 at 7:13 pm

      Probably using a hacked server for that purpose.

  2. Virtual_ManPL said on September 2, 2009 at 3:45 pm

    @ Steinsk — and Fx too… with 4s delay to install it or cancel… of course if you know what are you installing…
    and firstly Opera didnt have extensions… ;)

  3. Steinsk said on September 2, 2009 at 10:14 am

    And THIS is why Opera is refusing to open up for extension!!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.