[German]I received yesterday a report from a German blog reader and administrator in an enterprise environment just emailed me about an unpleasant observation. The Google Chrome browser is automatically creating shortcuts or installing its own apps in their Windows environment. After I published the German edition of this blog post, I got more confirmation, but currently there isn't clear, what triggers this nor how to prevent this behavior. Addendum: Linux is also affected.
A reader's report
German blog reader Andreas G. in the IT department of an organization where Google Chrome is probably in use. The distribution of the MSI installations for the Google Chrome client is done via a Unified Endpoint Management solution from baramundi.
The baramundi Management Suite is a desktop or client management software from German baramundi software GmbH. The solution makes it possible to automate routine tasks such as installation, distribution, inventory, protection and backup. The reduction in workload is cited as a major advantage.
In his message, Andreas reported on an observation that causes issues for administrators in enterprise environments:
Hello Mr. Born,
since a few days we have the phenomenon that Google Chrome automatically installs its own apps/shortcuts on our Windows clients.
The installation is mostly done randomly, it doesn't matter if Chrome has just been installed or if it has been on the computer for a while.
Since these are corporate devices, these shortcuts are not desired, as they encourage the use of these services.
Google Chrome is managed on our end via GPOs, we have not been able to find any settings that prevent this "installation".
Maybe you have the possibility to find out more through your outreach, as we haven't found anything suitable on the net about this so far.
P.S. the Chrome MSI is provided to us by/via Baramundi.
The screenshot above shows that the Chrome browser has installed apps from GSuite on the client. There is a Google post Richer UI install available for desktop from the end of April 2023, but a quick search didn't find anything that addresses the above issue of automatic app installation. Only this reddit.com post asks how Google can install web apps without the user's consent, but it refers to a current Google Chrome beta on Ubuntu.
Asked my blog readers
Then I've published the German edition of this blog post, whether somebody else observed a similar behavior and if yes, whether a fix is known. This Google support post, which I've found, is focused on mobile device and seemed not to help. And the support article here seems also not preventing that behavior.
But I received more confirmations on Twitter, on Facebook and within comments of my German blog. Some may be found in his German post.
An Microsoft Answers forum post
Also, searching for "Chrome has installed apps Windows" gave me the hit (also mentioned by HugBunter0815 in this comment) on the MS Answers forum post Chrome has installed shortcuts as apps in Add/Remove Programs. Some of these shortcuts/apps will not uninstall. How do I get rid of them?. Some of these shortcuts/apps will not uninstall. How do I get rid of them? ejected. There it says on July 4, 2023:
Most of these shortcuts/apps uninstalled, but some still remain. Right-clicking>uninstall is not removing them from the list. Any suggestions?
The reference to an infected Chrome can be ruled out in context, the affected person refers to an MSI installer from Google that was used.
Post in Google's support site after a hack
In addition, a new search using the above pattern brought to my attention a post in the Google support forum resulting from August 4, 2023, from which I have now extracted some relevant passages:
Google web apps keep installing on their own sneakily onto my Windows devices.
Dear Google Android,
My Gmail account recently has got hacked and Google didn't notify me. The scammer is now in my Google proxy network but Google Play scanner couldn't identify any harmful apps at all.
On 28th July 2023, one of my home PCs connected to Google services, with Passkeys registered, was scammed and hacked in a way out of sudden, my Windows 10 pro device with almost complete Google manipulation in the Windows Registry, installed by itself, without my consent, authorization, knowing and awareness, the following Google apps and programms onto my machine.
The unauthorized installation of Google apps included:
YouTube, Slides Sheets, Docs, Google Drive, Gmail etc.
The official Chrome web app page should appear with its interface by default but acts strangely recently.
At first the page appeared with default but duplicated apps both colored and uncolored of the app logos themselves, which page I bookmarked for long on my Google Chrome home page.
Due to the strange behaviors of Chrome web app page, I deleted and eradicated all apps and everything in fear of and being skeptical that my Passkeys had brought and redirected me to a zee Google Chrome home page.
That would be the "Google account hacked" issue again and something is infected. But I am not sure if the case meets the above observation. Concerned people may go through the Google post on Google's support pages. There hasn't been an answer there yet.
Linux/Ubuntu also affected
Addendum: German blog reader benjamin just contacted my by e-mail and wrote, that he has observed the same behavior in Ubuntu:
Last week I rebuilt my computer with the current Ubuntu LTS and then included the Google Linux repository, then I installed Google Chrome and all the Google shortcuts as shown by you in the screenshot also appeared with me under Gnome.
When installing Chrome on Ubuntu, Google puts shortcuts to all apps under ~/.local/share/applications/. What you see with me is the remaining one for Chrome itself.
Benjamin writes that everything works without root permissions (thanks for the feedback). So I guess my subsequent theories about certain Windows software being the culprit can be nixed. It really seems to be stuck somewhere in the Chrome Installer.
macOS is also affected, according to the comment below.
The question of the root cause
Now the exciting question remains, whether a cause for this behavior can be found out with the help of the readership. Affected users should clarify whether malware or an account hack could be the cause (I think it is less likely from the circle of administrators in the corporate environment, but not excluded).
Also Baramundi seems not the culprit, because I got feedback from administrators, not using this software. It seems that the Chrome msi installer is somehow involved.
In a comment, German reader Bernd mentions the "Lenovo View Driver" as a possible cause. The question here would be whether all the others affected are also running on Lenovo machines. Perhaps the crowd knowledge can deliver an answer, what's going on.
Cookies helps to fund this blog: Cookie settings