Is FlashPeak Inc. shipping Slimjet browser with a backdoor?

Slimjet[German]Is the Slimjet browser (a Google Chrome clone) moving towards Mozilla? Or does the developer moves to ship potentially unwanted software or even a backdoor? Within this blog post I address a a very strange observation some blog readers are observed.


Advertising

What is Slimjet browser?

The Slimjet browser is a clone of the Google Chrome browser, which has been enriched with helpful additional functions like popup blocker etc. The browser can be downloaded free of charge from the website www.slimjet.com.

Slimjet

The developer of this browser is the Austin, Texas (USA), based software producer FlashPeak Inc. I had introduced Slimjet browser a while ago and wrote a German blog post Angetestet: Der Slimjet-Browser, ein Chrome-Clone with an introduction.

Strange things I've noticed so far

Personally, I only use the portable version of this browser, so nothing needs to be installed. Since a while Slimjet isn't much used here for a simple reason. A year ago I ran into serious issues with this browser. Whenever I uploaded images (as part of my blog activities) to an image hoster, I could no longer edit them locally on my computer. Slimjet blocked the image until I ended the the browser and all processes (Google Chrome didn't have this issue).

And something else came up to me while writing the blog post. I don't know if this already happened when I introduced the browser. But FlashPeak Inc. is promoting an affiliate program. If I advertise the browser here in the blog and convince (or trick) readers to install it, I would (if I register as a partner) get 0.5 US $ from each installation.


Advertising

A strange observation from a blog reader

A few days ago German blog reader Guido contacted me with a very strange observation he made. Here is the translated text:

I downloaded the Slimjet browser from the official vendor site and after the installation I found not Slimjet as a process in the task manager, but Mozilla. Although I didn't have Mozilla installed.

I also looked in the Control Panel into Uninstall Programs and noticed that a new program named 2.1.2.3 appeared there.

The Mozilla logo was displayed in the Taskmanger autostart. The entry in the autostart was called Update and was marked with the icon of Mozilla.

I didn't see this entry in msconfig when I went to hide all Microsoft services.

Furthermore, two folders were created, which are called AMozilla. I could not get a logical explanation with these things and completely reset my machine, Windows 10 Pro version 1709. Now the bad behavior is over and I won't install Slimjet again.

Do you already have any knowledge about my experiences? You can also contact me via e-mail. I was very insecure after installing the browser Slimjet. Maybe the site was compromised? I'm afraid I have no idea what's going on. Slimjet's not part of Mozilla now, is he?

Strange stuff! Convering the last question: To my knowledge FlashPeak Inc. does not belong to Mozilla Inc. A short test of the portable version, which I quickly downloaded again, showed nothing. So I ran the web installer in a Windows 10 virtual machine. I can't confirm the observations of the blog reader regarding task manager and autostart. If FlashPeak Inc. runs a test, and every 100th user gets an experimental browser, I could test indefinitely without observing this issue.

Slimjet-Uninstaller-Eintrag

I would not have blogged about that, if I hadn't found two weird things. Once I found the entries from the picture above in the control panel under Windows 10 V1709. The FlashPeak slimjet entry size is 0, while there is another entry 2.1.2.3 without many more details. The 27.5 MByte and the installation date showed me that it is connected to the Slimjet install. This runs in the direction of the experiences described by the blog reader

Mozilla-Slimjet-Logo?

And there's another strange thing. I unpacked the web installer with a tool (but was only partially successful). But I could find a damaged icon (see picture above) in the destination folder. Even, if the image is damaged, that's a Mozilla logo – and the word 'Firefox' can also be seen in the lower left part of the defective image. There's something in the bush. That was the point where I decided to publish an article within my German blog.

A Reader confirmed it

Shortly after the German article went online, blog reader Nobody commented on March 8, 2018:

The strange observations are correct.

I just installed the Slimjet browser using an offline installer (Windows 32-bit) on Windows 7.

A Firefox process wants to access the Internet during installation. However, he was blocked by the firewall. Under "msconfig" there is an entry "Firefox" at autostart. The application is located in:

User name > AppData > Roaming > RecovObj

After installation you can also find the following folders:

Username > AppData > Roaming > AMozilla > AFirefox
Username > AppData > Local > AMozilla > AFirefox

Very strange that.

In an addendum this blog reader confirmed, that the mysterious program entry 2.1.2.3 with a size of 70,7 MB may be also be found in control panel under "Programs and features".

Is it a backdoor, as a reader suggest?

On March 21, 2018 I received another comment from a blog reader using the alias Miss Finland. The text was already in English, so I don't need to translate:

Hallo. Doing this in english. I saw the same thing and found it to be a chinese backdoor sending data to uknnown destination. The FF-lookalike-application is found in

C:\Users\ \AppData\Roaming\RecovObj\

and it´s done by yunbi888.net that seems to be a spam / pornhub / botnet-thingy.

I got this from the official download of [Slimjet version] 18. Going back to 17.0.9 didn´t helt because this RecovObj-folder stayed in another place than the rest of Slimjet.

Download the official Malwarebytes which is free for 14 days. It discovers the outgoing data and pops up a message in about ten minutes where the backdoor sits on your computer.

I am not sure if it is a crypto currency miner or something, but sure it drained the processor up to 14-19% . I had the updated version in only three days and nights. Panda Antivirus didn´t find anything, nor did other security checks.

Within a 2nd comment the Blog reader added: You have to stop the Firefox-application from Process control before you can delete the stuff in RecovObj. I deleted everything, including the RO-folder. Just wishing it didn´t copy clicks or other vital information. I will run Panda and Malwarebytes again in the afternoon just to crosscheck everything.

Since a few days, there is also this entry within slimjet forum. Although this thread was started at March 19, 2018, no official answer from FlashPeak Inc. has been given yet. Since other users aren't observing this behavior, the thread is 'dead'.

This was the point, where I decided to warn also readers of my English blog and like to ask: Have any of you made similar observations or can anyone make any sense of it? In a 2nd blog post, I will describe tomorrow another 'nasty' thing, I observed with Slimjet browser.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in browser, Security and tagged , , . Bookmark the permalink.

5 Responses to Is FlashPeak Inc. shipping Slimjet browser with a backdoor?

  1. Anarchist Node 7 says:

    I would not believe anyway in such shady small browsers or developers.

    If you want to use something, use either Chromium – if you value more privacy away from Google or Edge and… if you can live with Mozilla throwing morality away with abandoning their origin user base for Chrome users and focusing on numbers counting more than delivering a unique software… then count in also Firefox as browser which you can use.

    All other browser forks are not up to date with security and get security patches at some later point which is utterly not acceptable.

    That is the choice you have and you also should make use of if you like to be secure.

  2. Musa says:

    Check out that forum post you mentioned and you'll see that the user admits that he downloaded a fake .exe file. https://www.slimjet.com/en/forum/viewtopic.php?f=5&t=1816

  3. Remil G. says:

    Color me worried! I'm using SlimJet on Linux as a test, while I have something like ten different browsers installed. I had SlimJet installed for 2 years but did not use it, till this past week (December 2020), because for some reason in the back of my mind I did not trust it.

    So after I downloaded and installed the latest version, I did some research myself, and here are a few observations:

    1. An extension, GNOME Shell Extension, is installed by default, and is apparently the system admin of the browser, and can control the browser remotely. It seems next to impossible to uninstall that extension, which is the main reason I didn't use the browser initially.

    2. On SlimJet's website there is no mention of who the coders are behind the browser, and even an online search (including about Flashpeak Inc.) delivered no info. That is very, very strange. Every other browser out there list the software developers, even with photos of them. But… I can say with almost certainty the coders behind SlimJet are Chinese.

    3. Why? At the bottom of their website is a link, Learn Chinese', that leads to a website outside their domain. Why would a browser developer wants one to learn Chinese so much that they will place the link in there permanently?

    4. A law in China makes it compulsory for any company – especially IT ones – to hand over any data collected about its users, to the Chinese government. Despite FlashPeak Inc. allegedly being in Austin, Texas (it can be a shell company in the US just to generate trust that it's an American company), who is to say the coders aren't Chinese citizens residing in the US, while sending collected data from there to their masters in China? The Chinese government is known for keeping their citizens abroad in check by keeping their families back in China on a tight rope. And it is no secret that China is on a massive data-collection drive about Westerners using various means.

    5. SlimJet is a great, useful browser that can match the big names when it comes to smooth operation and functionality, no doubt about that. The coders behind it must be very competent, and geared towards meeting the needs of users. Almost on a state-actor spy hacker level of proficiency, if you catch my drift. So why then does Flashpeak only have 6 followers on LinkedIn?

    6. SlimJet repeatedly says everywhere that no data is sent to Google, giving it the allure of being a secure, non-spying browser. However, unlike Chromium and Firefox, SlimJet is not open-source. Why not? Never mind the god Google that knows everything about us all now, where is SlimJet sending our data to?

    I would like the author of this blog to investigate this browser and get to the bottom of it. I am inclined to say a nest of international spying will be uncovered. If it wasn't that I came across this article, I would have blogged about this myself on one of my blogs.

  4. Advertising

  5. marinus says:

    Hmm. Sounds plausible- no smoke without fire, right? But, bottom line, so what?
    Privacy is gone, it's like the dodo, and anybody who parks any financial data on his/her computer is an idiot. Browse as securely as you can but don't expect much.
    On a 3rd-party website, filerrors.com (?) a FileJet optimizer app was recommended and linked to. Guess what- turned out to be a scam- the old computer optimizer/cleaner one wherein the company discovers just hundreds!! of viruses and so on but needs you to pay for the other half of the program to remove them!
    May not be SlimJet but i'll bet it is. I'll watch for performance abnormalities even more closely from now on, but will still use SJ, because this sh*t is everywhere, and this is a sweet little light browser. Watch your ass kids…
    SJ user in Vancouver.

  6. Gary says:

    Yep, it's obviously Chinese with a very small profile. Nobody else would create a browser and keep their developers so secret. Thanks for the warning! The only thing worse that Google is China.

Leave a Reply to marinus Cancel reply

Your email address will not be published. Required fields are marked *