MetaMask, an application that links regular internet browsers to the Ethereum blockchain, was removed from Google download sites and replaced by a fraudulent version for a few hours.
This is incredible. Google removed the real @metamask_io from their Web Store, leaving behind a fake one which uses official branding. Play Store also has a fake MetaMask, which uses a known phishing address. What are you doing, Google!? pic.twitter.com/C7dnVndpX3
— Sampson (@jonathansampson) July 25, 2018
What is MetaMask?
MetaMask, according to its website, is “a bridge that allows you to visit the distributed web of tomorrow in your browser today.”
It provides an interface that allows users of internet browsers Chrome, Firefox, Opera, and Brave to use decentralised networks. Users open an encrypted account which lets them send Ethereum and access Ethereum-enable websites.
It was delisted from the Android and Chrome application stores earlier today and returned five hours later.
PSA: MetaMask has been delisted from the Chrome Web Store. We are unsure of why this is the case and we will update everyone as we get more information. All other browsers are unaffected.
— MetaMask (@metamask_io) July 25, 2018
Google has offered no explanation as to why this happened, but it has been theorised that it got caught up in a sweep of cryptocurrency mining applications (MetaMask is not a mining application).
Chrome has banned crypto mining addons. They are probably using an automated system that banned Metamask based on keywords that are similar to those in mining addons.
FXTM Appoints Marcelo Spina as Global Head of PartnershipsGo to article >>
— The Cryptophiliac (@thecryptophilia) July 25, 2018
Users soon noticed that in the absence of the genuine application, a version using a known phishing address was available instead.
The @metamask_io currently listed in the @googlechrome app store is a fake, phishing app. Do NOT download. The real MetaMask extension has been removed this morning without explanation. Follow @metamask_io for updates. pic.twitter.com/4CPS3wfFqE
— Augur (@AugurProject) July 25, 2018
Phishing is when a thief gets people to send money to their wallet under false pretences. It is not yet known how many people fell for this scam.
Shortly afterwards, MetaMask published a retrospective analysis in Medium. It revealed that the removal was discovered when a staff member happened to notice it – Google did not send a notification, although it claims that it did and the email bounced.
The text identifies three problems that were highlighted by this occurrence. First, how can a product defend itself against such arbitrary decisions? Second, how can phishing be avoided? That is to say, how can an application warn everyone of a fraudulent download if it doesn’t have a formal presence on the platform? And finally, decentralised applications need to find a way to overcome these central points of failure.
Fake applications and Google security
In January 2018, a security firm called Risk IQ discovered that hundreds of fraudulent cryptocurrency applications were available for download at the Apple of Google application stores – specifically, 661 blacklisted programmes were discovered, of which 272 were on Google.
Such was the scale of the problem, a fraudulent version of MyEtherWallet was at one point the third most-downloaded application from the Apple Store in December 2017, despite charging people $4.99 when the genuine version was free.
Google banned all cryptocurrency advertising in March 2018 as a response to the infestation of scams. Earlier this week it began displaying Coinbase adverts again, which was seen as a positive development for the cryptocurrency industry. However, today’s events have shown that it still has some work to do in terms of security procedures.