PSA: Remove malicious browser extension Nano Adblocker /Defender etc.

[German]Users of the Google Chrome browser or its chromium derivatives (Google Chrome, Edge etc.), as well as Firefox and Safari, should check whether the extensions Nano Adblocker or Nano Defender and other components from the Nano project are installed. If so, remove these extensions, because the project has been sold and the new (Turkish) developers have obviously started to integrate malicious functions that extract data.


I confess, I've messed it up, because I had read a note from my colleagues at German site a week ago and planned to blog about – but it got lost under a big pile of other notes. Now the topic has fallen on my feet again in two places during the night.

What are the nano extensions?

Nano Adblocker and Nano Defender are browser extensions for browsers that promise adblocker and protection features. Both extensions are based on the so-called nano core, which contains features of uBlock Origin. In the readme files there is talk about 'upstream' which is used to share the code, whereby upstream links to the GitHub page of uBlock Origin, a project of the developer Raymond Hill (gorhill).

The two extensions Nano Adblocker and Nano Defender, if my information is correct, were created by a developer in 2019 as part of a nano project and are offered for Chromium-based browsers as well as Firefox and Safari. The extensions were also available in the stores for Google Chrome etc. and probably got 300.000 downloads.

Project sold to two Turkish developers

However, the developer of the nano-core components lacked the time to further develop the project – he wrote that he was lagging behind upstream. A developer (jspenguin2017) in the nano-core project wrote in this GitHub announcement in early October 2020 that he had sold the project. I will pull it out in case this post is deleted.

Important updates and disclaimers: The WebStore listings are no longer under my control. I am not responsible for the actions of the new developer(s). If you feel concerned about the recent changes (please continue reading for more information), please remember that you can uninstall the extensions and/or find alternatives at any time.

As some of you might have noticed, Nano Adblocker is now months behind upstream. It became clear that I simply do not have enough time to properly maintain the Nano projects.

At the beginning, there were no backlogs. As the projects grow, I added a backlog system to better manage open issues. That was unfortunately not enough, so I added another level of backlog — the triage queue. Then a third level. And a fourth one. Now the fourth level of backlog, the notification queue, has over 138 issues waiting for my attention. No matter how well I organize incoming issues, if I do not have enough time to look into them, I will simply fall further and further behind. With thousands of issues backlogged, it is only a matter of time that the Nano projects collapse.

And here comes the news. New developer(s) are in the process of acquiring Nano Adblocker and Nano Defender. Hopefully, they will be able to put an end to this backlog madness and finally give Nano Adblocker some real development time instead of constantly trying to catch up to upstream. The transition is still taking place, so I would like to ask for your patience. I will have more details about this in the upcoming days or weeks.

Compactly summarized: The developer does not have the time to maintain the project. He put the project in the hands of new developers, but they soon announced that they would create their own GitHub repositories. So the project is no longer under the control of the original developer.


Malicious code now shipped with the extensions

A week ago, there were several websites where the extensions can be found, which stated that the nano-core and the extensions were no longer under the control of the original developers. Raymond Hill (gorhill), the developer of uBlock Origin then inspected the source code of the new version (Nano Defender and saw that it contains a file connect.js. This calls code from * so that user activity and data in the browser can be transmitted to remote servers. The colleagues from have pointed this out in this article; gorhill's explanations can be read here.

Malware in Nano-Extensions

German blog reader Marc Stüttem then reminded me of the topic in this comment yesterday (thanks for that), and via the above tweet I saw that ArsTechnica published this article on the topic. On October 20, 2020 a security expert by the name of Christopher Partridge unraveled the whole mess in this blog post. Here is the excerpt:

The following Chrome extensions were purchased by a malware author from their original authors, and all users of these extensions within the affected time frame should be considered at risk, as Chrome's extensions are updated automatically.

Chris lists the following extension or components that should be removed from your systems:

  • User-Agent Switcher
  • Nano Adblocker
  • Nano Defender

The colleagues at indicate, that the following components should be removed also:

  • Nano Contrib Filter – Placeholder Buster
  • Nano Defender Integration
  • Nano filters
  • Nano filters – Annoyance
  • Nano filters – Whitelist

Because these components were also sold. Martin Brinkmann had already presented this in more detail on October 16, 2020 on in this article. The ArsTechnica article linked above summarizes this again. All in all the mixture is quite confusing, so you have to check for each platform where the extensions are hosted, if the original developer is still in control. On ArsTechnica you can find the following comment, which the authors have highlighted:

Zirconium Hacker Smack-Fu Master, in training

I was affected by this because I used Nano Defender to supplement uBlock Origin. It was completely unexpected that this open source extension would suddenly change hands, with no warning aside from some information on GitHub that I didn't read until it was too late. There is nothing I could have done… and now I have an Instagram account filled with likes that aren't mine. I'm glad that's all, I guess – they could have done much worse.

In general I would postulate at this point: With browser extensions the user lost control over his data – and I recommend to remove all that extension stuff from your browser.

Cookies helps to fund this blog: Cookie settings

This entry was posted in browser, Security, Software and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.