Is FlashPeak Inc. shipping Slimjet browser with a backdoor?

Slimjet[German]Is the Slimjet browser (a Google Chrome clone) moving towards Mozilla? Or does the developer moves to ship potentially unwanted software or even a backdoor? Within this blog post I address a a very strange observation some blog readers are observed.


Advertising


What is Slimjet browser?

The Slimjet browser is a clone of the Google Chrome browser, which has been enriched with helpful additional functions like popup blocker etc. The browser can be downloaded free of charge from the website www.slimjet.com.

Slimjet

The developer of this browser is the Austin, Texas (USA), based software producer FlashPeak Inc. I had introduced Slimjet browser a while ago and wrote a German blog post Angetestet: Der Slimjet-Browser, ein Chrome-Clone with an introduction.

Strange things I’ve noticed so far

Personally, I only use the portable version of this browser, so nothing needs to be installed. Since a while Slimjet isn’t much used here for a simple reason. A year ago I ran into serious issues with this browser. Whenever I uploaded images (as part of my blog activities) to an image hoster, I could no longer edit them locally on my computer. Slimjet blocked the image until I ended the the browser and all processes (Google Chrome didn’t have this issue).

And something else came up to me while writing the blog post. I don’t know if this already happened when I introduced the browser. But FlashPeak Inc. is promoting an affiliate program. If I advertise the browser here in the blog and convince (or trick) readers to install it, I would (if I register as a partner) get 0.5 US $ from each installation.


Advertising

A strange observation from a blog reader

A few days ago German blog reader Guido contacted me with a very strange observation he made. Here is the translated text:

I downloaded the Slimjet browser from the official vendor site and after the installation I found not Slimjet as a process in the task manager, but Mozilla. Although I didn’t have Mozilla installed.

I also looked in the Control Panel into Uninstall Programs and noticed that a new program named 2.1.2.3 appeared there.

The Mozilla logo was displayed in the Taskmanger autostart. The entry in the autostart was called Update and was marked with the icon of Mozilla.

I didn’t see this entry in msconfig when I went to hide all Microsoft services.

Furthermore, two folders were created, which are called AMozilla. I could not get a logical explanation with these things and completely reset my machine, Windows 10 Pro version 1709. Now the bad behavior is over and I won’t install Slimjet again.

Do you already have any knowledge about my experiences? You can also contact me via e-mail. I was very insecure after installing the browser Slimjet. Maybe the site was compromised? I’m afraid I have no idea what’s going on. Slimjet’s not part of Mozilla now, is he?

Strange stuff! Convering the last question: To my knowledge FlashPeak Inc. does not belong to Mozilla Inc. A short test of the portable version, which I quickly downloaded again, showed nothing. So I ran the web installer in a Windows 10 virtual machine. I can’t confirm the observations of the blog reader regarding task manager and autostart. If FlashPeak Inc. runs a test, and every 100th user gets an experimental browser, I could test indefinitely without observing this issue.

Slimjet-Uninstaller-Eintrag

I would not have blogged about that, if I hadn’t found two weird things. Once I found the entries from the picture above in the control panel under Windows 10 V1709. The FlashPeak slimjet entry size is 0, while there is another entry 2.1.2.3 without many more details. The 27.5 MByte and the installation date showed me that it is connected to the Slimjet install. This runs in the direction of the experiences described by the blog reader

Mozilla-Slimjet-Logo?

And there’s another strange thing. I unpacked the web installer with a tool (but was only partially successful). But I could find a damaged icon (see picture above) in the destination folder. Even, if the image is damaged, that’s a Mozilla logo – and the word ‘Firefox’ can also be seen in the lower left part of the defective image. There’s something in the bush. That was the point where I decided to publish an article within my German blog.

A Reader confirmed it

Shortly after the German article went online, blog reader Nobody commented on March 8, 2018:

The strange observations are correct.

I just installed the Slimjet browser using an offline installer (Windows 32-bit) on Windows 7.

A Firefox process wants to access the Internet during installation. However, he was blocked by the firewall. Under “msconfig” there is an entry “Firefox” at autostart. The application is located in:

User name > AppData > Roaming > RecovObj

After installation you can also find the following folders:

Username > AppData > Roaming > AMozilla > AFirefox
Username > AppData > Local > AMozilla > AFirefox

Very strange that.

In an addendum this blog reader confirmed, that the mysterious program entry 2.1.2.3 with a size of 70,7 MB may be also be found in control panel under “Programs and features”.

Is it a backdoor, as a reader suggest?

On March 21, 2018 I received another comment from a blog reader using the alias Miss Finland. The text was already in English, so I don’t need to translate:

Hallo. Doing this in english. I saw the same thing and found it to be a chinese backdoor sending data to uknnown destination. The FF-lookalike-application is found in

C:\Users\ \AppData\Roaming\RecovObj\

and it´s done by yunbi888.net that seems to be a spam / pornhub / botnet-thingy.

I got this from the official download of [Slimjet version] 18. Going back to 17.0.9 didn´t helt because this RecovObj-folder stayed in another place than the rest of Slimjet.

Download the official Malwarebytes which is free for 14 days. It discovers the outgoing data and pops up a message in about ten minutes where the backdoor sits on your computer.

I am not sure if it is a crypto currency miner or something, but sure it drained the processor up to 14-19% . I had the updated version in only three days and nights. Panda Antivirus didn´t find anything, nor did other security checks.

Within a 2nd comment the Blog reader added: You have to stop the Firefox-application from Process control before you can delete the stuff in RecovObj. I deleted everything, including the RO-folder. Just wishing it didn´t copy clicks or other vital information. I will run Panda and Malwarebytes again in the afternoon just to crosscheck everything.

Since a few days, there is also this entry within slimjet forum. Although this thread was started at March 19, 2018, no official answer from FlashPeak Inc. has been given yet. Since other users aren’t observing this behavior, the thread is ‘dead’.

This was the point, where I decided to warn also readers of my English blog and like to ask: Have any of you made similar observations or can anyone make any sense of it? In a 2nd blog post, I will describe tomorrow another ‘nasty’ thing, I observed with Slimjet browser.


Advertising


This entry was posted in browser, Security and tagged , , . Bookmark the permalink.

1 Response to Is FlashPeak Inc. shipping Slimjet browser with a backdoor?

  1. Anarchist Node 7 says:

    I would not believe anyway in such shady small browsers or developers.

    If you want to use something, use either Chromium – if you value more privacy away from Google or Edge and… if you can live with Mozilla throwing morality away with abandoning their origin user base for Chrome users and focusing on numbers counting more than delivering a unique software… then count in also Firefox as browser which you can use.

    All other browser forks are not up to date with security and get security patches at some later point which is utterly not acceptable.

    That is the choice you have and you also should make use of if you like to be secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is using cookies, see more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close