[German]I received yesterday a report from a German blog reader and administrator in an enterprise environment just emailed me about an unpleasant observation. The Google Chrome browser is automatically creating shortcuts or installing its own apps in their Windows environment. After I published the German edition of this blog post, I got more confirmation, but currently there isn't clear, what triggers this nor how to prevent this behavior. Addendum: Linux is also affected.
Advertising
A reader's report
German blog reader Andreas G. in the IT department of an organization where Google Chrome is probably in use. The distribution of the MSI installations for the Google Chrome client is done via a Unified Endpoint Management solution from baramundi.
The baramundi Management Suite is a desktop or client management software from German baramundi software GmbH. The solution makes it possible to automate routine tasks such as installation, distribution, inventory, protection and backup. The reduction in workload is cited as a major advantage.
In his message, Andreas reported on an observation that causes issues for administrators in enterprise environments:
Hello Mr. Born,
since a few days we have the phenomenon that Google Chrome automatically installs its own apps/shortcuts on our Windows clients.
The installation is mostly done randomly, it doesn't matter if Chrome has just been installed or if it has been on the computer for a while.
Since these are corporate devices, these shortcuts are not desired, as they encourage the use of these services.
Google Chrome is managed on our end via GPOs, we have not been able to find any settings that prevent this "installation".
Maybe you have the possibility to find out more through your outreach, as we haven't found anything suitable on the net about this so far.
P.S. the Chrome MSI is provided to us by/via Baramundi.
The screenshot above shows that the Chrome browser has installed apps from GSuite on the client. There is a Google post Richer UI install available for desktop from the end of April 2023, but a quick search didn't find anything that addresses the above issue of automatic app installation. Only this reddit.com post asks how Google can install web apps without the user's consent, but it refers to a current Google Chrome beta on Ubuntu.
Asked my blog readers
Then I've published the German edition of this blog post, whether somebody else observed a similar behavior and if yes, whether a fix is known. This Google support post, which I've found, is focused on mobile device and seemed not to help. And the support article here seems also not preventing that behavior.
But I received more confirmations on Twitter, on Facebook and within comments of my German blog. Some may be found in his German post.
Advertising
An Microsoft Answers forum post
Also, searching for "Chrome has installed apps Windows" gave me the hit (also mentioned by HugBunter0815 in this comment) on the MS Answers forum post Chrome has installed shortcuts as apps in Add/Remove Programs. Some of these shortcuts/apps will not uninstall. How do I get rid of them?. Some of these shortcuts/apps will not uninstall. How do I get rid of them? ejected. There it says on July 4, 2023:
Most of these shortcuts/apps uninstalled, but some still remain. Right-clicking>uninstall is not removing them from the list. Any suggestions?
The reference to an infected Chrome can be ruled out in context, the affected person refers to an MSI installer from Google that was used.
Post in Google's support site after a hack
In addition, a new search using the above pattern brought to my attention a post in the Google support forum resulting from August 4, 2023, from which I have now extracted some relevant passages:
Google web apps keep installing on their own sneakily onto my Windows devices.
Dear Google Android,
My Gmail account recently has got hacked and Google didn't notify me. The scammer is now in my Google proxy network but Google Play scanner couldn't identify any harmful apps at all.
On 28th July 2023, one of my home PCs connected to Google services, with Passkeys registered, was scammed and hacked in a way out of sudden, my Windows 10 pro device with almost complete Google manipulation in the Windows Registry, installed by itself, without my consent, authorization, knowing and awareness, the following Google apps and programms onto my machine.
The unauthorized installation of Google apps included:
YouTube, Slides Sheets, Docs, Google Drive, Gmail etc.
The official Chrome web app page should appear with its interface by default but acts strangely recently.
At first the page appeared with default but duplicated apps both colored and uncolored of the app logos themselves, which page I bookmarked for long on my Google Chrome home page.
Due to the strange behaviors of Chrome web app page, I deleted and eradicated all apps and everything in fear of and being skeptical that my Passkeys had brought and redirected me to a zee Google Chrome home page.
That would be the "Google account hacked" issue again and something is infected. But I am not sure if the case meets the above observation. Concerned people may go through the Google post on Google's support pages. There hasn't been an answer there yet.
Linux/Ubuntu also affected
Addendum: German blog reader benjamin just contacted my by e-mail and wrote, that he has observed the same behavior in Ubuntu:
Last week I rebuilt my computer with the current Ubuntu LTS and then included the Google Linux repository, then I installed Google Chrome and all the Google shortcuts as shown by you in the screenshot also appeared with me under Gnome.
When installing Chrome on Ubuntu, Google puts shortcuts to all apps under ~/.local/share/applications/. What you see with me is the remaining one for Chrome itself.
Benjamin writes that everything works without root permissions (thanks for the feedback). So I guess my subsequent theories about certain Windows software being the culprit can be nixed. It really seems to be stuck somewhere in the Chrome Installer.
macOS is also affected, according to the comment below.
The question of the root cause
Now the exciting question remains, whether a cause for this behavior can be found out with the help of the readership. Affected users should clarify whether malware or an account hack could be the cause (I think it is less likely from the circle of administrators in the corporate environment, but not excluded).
Also Baramundi seems not the culprit, because I got feedback from administrators, not using this software. It seems that the Chrome msi installer is somehow involved.
In a comment, German reader Bernd mentions the "Lenovo View Driver" as a possible cause. The question here would be whether all the others affected are also running on Lenovo machines. Perhaps the crowd knowledge can deliver an answer, what's going on.
I've created now a bug report here. And I created this entry at patchmanagement.org, where some discussions, what investigations from others may be found.
This occurred to me on several machines. I have Chrome installed, but I do not login with a Google account. This occurred for me on Windows 10 Lenovo PCs, but also VMs running 2022. I found this forum post a few days ago, https://support.google.com/chrome/thread/230620632/how-to-prevent-chrome-from-auto-installing-web-apps?hl=en#redirected=true. Cannot find any other information on this issue. Hopefully we can get Google to respond.
For me, they "uninstall" but they do not leave the registry. So they are forever stuck there.
Are those keys not able to be deleted manually?
We have the same issue since a week ago or so, and we have 100% HP machines so its not the case of Lenovo.
Not only has this been happening on Linux, and Windows, this has been happening to very few of our macOS machines. We install Chrome Enterprise and 1 out of every 10 will get these Google apps. The apps are usually found ~/Applications/Chrome Apps.
The same installer is used on all machines.
It happens on my Asus laptop. The google apps have installed twice now, both times I removed them. I have scanned my laptop and no malware etc was present that I could find.
The second time they installed I got a chrome popup wanting to install disney+ web app when I logged into disney+. I declined the request
Same issue for me, working in an enterprise environment with about 40K clients. Found the issue during testing of version: 116.0.5845.111 downloaded from google enterprise site. No malware etc, installation was made on clean VM's in production environment.
Had a look around registry etc and found that its installing per user and not for machine. This complicates a removal process even more if i was to attempt to remove it. And there seems to be no silent switches.
What did you find in the registry? I just did a search in the registry and I could not locate anything
All of the google apps are installed in user registry. Here is example (Google Drive):
HKEY_USERS\{User-SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a0b650f419b9828adc53a1bfd53765d5
UninstallString: "C:\Program Files\Google\Chrome\Application\chrome.exe" –profile-directory=Default –uninstall-app-id=aghbiahbpaijignceidepookljebhfak
I push above command and ask users to approve removal. But we need a silent switch to do this without user intervention. Also, since this is installed as user app, user must be logged in to remove it.
Google is causing headaches to users, and especially admins. I am on verge of banning Chrome from our machines because of this BS.
There's already open a bug for this: https://bugs.chromium.org/p/chromium/issues/detail?id=1476987
A solution that worked for me is: https://www.reddit.com/r/sysadmin/comments/15yzno9/comment/jyfw3r7/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
I had the same issue, but the "applications" were actually shortcuts in my case. The shortcuts were all in Users/%username%/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Chrome Apps. If that is your situation, a batch file running on login can delete them. I hope that's your situation.