Skip to main content

This nasty malware is infecting every web browser — what to do now

(Image credit: Shutterstock)

A gang of crooks is infecting Chrome, Firefox, Edge and other browsers with malware that hijacks search results with ads and sometimes even steals user passwords and other login credentials, Microsoft said yesterday (Dec. 10) in a blog post. 

The malware strain, which Microsoft calls Adrozek, infects Windows machines via "drive-by downloads" that try to get through browser defenses as soon as a browser loads one of more than 2 million malicious web pages. 

The malware, which constantly changes its code to avoid traditional antivirus detection, installs itself as what seems to be a normal audio-related program.

"At its peak in August, the threat was observed on over 30,000 devices every day," Microsoft said, adding that the malware campaign is still operating. "End users who find this threat on their devices are advised to re-install their browsers."

Adrozek specifically targets Mozilla Firefox, Google Chrome, the new Microsoft Edge browser and the Yandex browser, widely used in Russian-speaking countries. But as the latter three all are based on the Chromium open-source browser, other browsers such as Brave, Opera and Vivaldi should also be considered vulnerable.

You'll be able to tell you're infected if you get a whole lot of weird-looking web links in your search results, as in the images below. The links aren't necessarily malicious, but the crooks behind Adrozek get a few pennies every time someone clicks on one of them.

Screenshot comparison of regular search results and search results with ads injected by Adrozek malware.

Screenshot comparison of regular search results and search results with ads injected by Adrozek malware. (Image credit: Microsoft)

How to get rid of and avoid Adrozek malware

Normally, you can get rid of browser-hijacking adware if you can reset Chrome or reset Firefox

But Adrozek burrows deep into the browsers, altering or mimicking legitimate extensions, switching off security protections, disabling automatic updates and even altering Registry entries and creating a separate Windows service to run independently, so getting rid of it requires a lot more. 

You'll have to delete Firefox and all Chromium-based browsers entirely (make sure you save your bookmarks first), run a malware scan with your choice of the best antivirus software, reboot the PC, run the malware scan again and then reinstall your browsers and import your saved bookmarks. 

To avoid Adrozek infection, keep your browsers up-to-date at all times and, well, use one of the best antivirus programs. 

Such drastic removal actions might not be entirely justified if Adrozek simply added dodgy search results. Perfectly legal if ethically dubious "unwanted programs" do this all the time. 

But because Adrozek actively steals saved passwords from Firefox, and disables automatic updates and security settings on all browsers, it qualifies as honest-to-goodness malware and needs to be removed ASAP.

"While the malware's main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allow attackers to gain a strong foothold on a device," the Microsoft blog post said. "The addition of credential-theft behavior shows that attackers can expand their objectives to take advantage of the access they're able to gain."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.