Opera Blacklists Tampermonkey Extension Being Installed by Malware

Opera blacklisted the version of Tampermonkey that is currently offered on the Chrome Web Store as it is being installed by Windows malware. This prevents the extension from working in the Opera browser.

Opera users who installed Tampermonkey 4.7.54 from the Chrome Web Store found out today that the browser has blacklisted the extension. When they open the browser's extensions list, they are greeted with a red message stating that the extension was blocked because Opera "identified this extension as malicious and have blacklisted it. This means it can no longer cause any damage to your machine. You can leave it as is, or remove it."

On the other hand, users who installed Tampermonkey from the Opera store would not have any problems, because it is the older 4.2.5291 version.

When Tampermonkey developer Jan Biniok heard about the issue and contacted Opera, he was told that the browser company has detected malware installing the version of Tampermonkey found on the Chrome Web Store with extension ID dhdgffkkebhmkfjojejmpbldmpobfkfo, using alternative distribution options. What this means is that the extension was being installed manually via the Registry or a JSON file.

The message then goes on to say that the installed extension is being "used as a vehicle to circumvent our acceptance criteria for browser extensions."

This is where it gets a bit confusing as they don't really explain what the actual issue is? Is the extension being modified, which means its not the same extension anymore as the one on the Chrome Web Store and should not be blocked, or is it being used by another program/extension to bypass the acceptance criteria?

Unfortunately, BleepingComputer does not have the answers to this at this time and have reached out to Opera for more information.

When we saw this story first reported by TechDows, BleepingComputer began researching malware samples and was able to discover a sample of an adware called Gom Player that is installing the Chrome Web Store version of Tampermonkey. Gom Player is known for modifying browser behavior, injecting ads, and changing search behavior in browsers.

This type of program may be utilizing an extension like Tampermonkey to facilitate the injection of ads or other malicious behavior. This does not mean that Tampermonkey is malicious, but rather that a malicious program is utilizing a legitimate program for bad behavior.

As you can see from this sample on VirusTotal, Gom Player is manually installing the dhdgffkkebhmkfjojejmpbldmpobfkfo extension to the victim's drive. 

It is not uncommon for malware, especially adware bundles, to manually install malicious extensions in this way. We have also seen legitimate "helper" extensions installed by adware bundles in the past.

If Opera is blacklisting the extension simply because it is being used for malicious purposes that would be a strange decision. 

Removing the blacklist for this extension in Opera

At this time, we do not 100% know the reasons for Opera blacklisting the version on the Chrome Web Store, so my advice is to wait until we hear more before attempting to circumvent the blacklist.

With that said, if you are convinced the version is harmless and require that specific one, you can remove the blacklist by editing Opera's Preferences file. You can do this by following the instructors offered by Venkat of TechDows.

1. Close Opera

2. Open Notepad

3. Open the following file: %UserProfile%\AppData\Roaming\Opera Software\Opera Stable\Preferences

4. Search for dhdgffkkebhmkfjojejmpbldmpobfkfo in the file and you should see text similar to the following. The text in the file has had spaces removed, so it can be hard to see exactly what you are looking for, so we highlighted it in the image below.

   

5. To remove the blacklist, change "blacklist":true to "blacklist":false and change "blacklist_state":1 to "blacklist_state":0 as shown in the image below.

   

6. Now save the Preferences file and close it.

7. Reopen Opera and Tampermonkey should be working again.