Meet eFast: This Malware REPLACES Your Browser With Adware

Matthew Hughes 20-10-2015

Malware that targets the browser is nothing new. But malware that replaces an already existing browser with one designed to track online movements, hijack search traffic, and fill each page with unwanted adverts? Yeah, that’s pretty interesting.


The eFast Browser was discovered by the MalwareBytes team a few days ago, and it does all of the above, and more.

Pulling an eFast One

Perhaps the worst thing about eFast Browser is that unless you’re especially observant, you might not even notice it’s there, as it takes great pains to camouflage itself.

For starters, it looks and feels like the bona-fide Chrome browser The Easy Guide to Google Chrome This Chrome user guide shows everything you need to know about the Google Chrome browser. It covers the basics of using Google Chrome that is important for any beginner. Read More , as it’s built on the Chromium Browser. This is essentially the wholly open-source version of Chrome, with some proprietary components removed.

Astonishingly, the developers have even designed the logo to closely resemble the iconic Chrome “Spiral”.


But behavior-wise, it’s very similar to other malicious adware. It starts off by uninstalling the official version of Chrome. When you use it as a browser, eFast will track, and insert advertisements into every single webpage you visit. It’ll hijack your search traffic, and try to direct you to other malicious pages.

It also associates itself with a broad smorgasbord of file formats, perhaps in order to drive users to use it more. These formats are:

  • gif
  • htm
  • html
  • jpeg
  • jpg
  • pdf
  • png
  • shtml
  • webp
  • xht
  • xhtml

It also associates itself with the following URL associations:

  • ftp
  • http
  • https
  • irc
  • mailto
  • mms
  • news
  • nntp
  • sms
  • smsto
  • tel
  • urn
  • webcal

The motivations behind the eFast browser are, of course, purely financial.


Malware developers are overwhelmingly motivated by financial reasons What Motivates People To Hack Computers? Hint: Money Criminals can use technology to make money. You know this. But you would be surprised just how ingenious they can be, from hacking and reselling servers to reconfiguring them as lucrative Bitcoin miners. Read More , and this is no exception. In fact, it stands to earn the makers a decent amount of cash, as their adverts are displayed on every single website you visit. The vast potential for illicit money-making is what drives malware developers to target the browser.

The Attraction of The Browser

The browser has always painted an enticing target for malware developers, simply because of how we use it, and how often we use it. For many, their computing experience is based wholly in the browser.

At the very least, the vast majority of us use our web browsers for social networking, entertainment, and shopping. Beyond that, many more use it as for office productivity, with products like Google Drive having thoroughly supplanted Microsoft Office, and Gmail having all but replaced Outlook and Exchange.

Because the browser holds such an esteemed position, it presents an enticing opportunity for malware developers. At their most benign, they can simply insert unwanted adverts and hijack search traffic, but at their worst, they can steal passwords, credentials, and banking information.


Google, to their credit, have realized the threats posed to their own browser and have done their best to make it as secure as possible.

Each Chrome tab is tightly sandboxed, and Google have taken great pains to make it extremely hard for drive-by-downloads to take place. In May this year, Google took the decision to ban non-Web Store extensions. If you want to publish your own Chrome extension, it has to go through Google, and their rigorous code analysis.

As InfoSecTaylorSwift so saliently pointed out, Chrome is now so secure, the only way to attack the browser is to replace it.


Who’s Behind It?

By now, we know the eFast Browser comes with some pretty horrendous behavior, and we know that it’s being installed surreptitiously on people’s computers. But who actually made it?

A good starting point is to look at its digital certificate. This has been signed by “CLARALABSOFTWARE”, with “” listed as the associated domain name.

Their choice of name almost certainly wasn’t an accident. Not only does it closely resemble other tech companies (like UK ISP Claranet), it also sounds like what a legitimate tech company would call themselves.

I then queried their Whois record. This is a publicly-accessible record of who owns the site, and contains their contact information. However, it’s possible to “opt-out” of Whois by using a third-party obfuscation service, like WhoisGuard. Unsurprisingly, this is what they’ve done here.


So, I decided to visit the Clara Labs homepage (we’re not going to link to it directly), to see if I could find any identifiable information. It’s worth pointing out that when you visit it with Chrome, Google warns you not to continue further, and states it’s a known distributor of malware.


When I visited, the site was under a lot of strain, thanks to the traffic generated by the immense media interest that it’s seen over the past few days.

When it finally loaded, I was a little bit underwhelmed. Most of the content was the type of tedious web copy that’s guaranteed make your eyes glaze over. It mostly blathered on about “enriching the user experience” through their “smart ads platform”, almost as though people should be grateful.


More interestingly, it come with simple instructions on how to disable the built-in adverts:


Although, if you’re in the position where you’ve got it installed, you’d be much better off uninstalling it entirely.

There wasn’t much contact information on the site. There wasn’t anything that said who was running it, or what jurisdiction they were based in. There was no contact number, or postal address. There was an email address, however. I’ve got in touch and asked for a comment.


I’ll update this post if they reply, but I’m not getting my hopes up.

Getting Rid of eFast Browser

Do you think you’ve been infected? Well, there’s a simple test. Type “chrome://chrome” into the address bar. If you see something that says “About eFast”, then you’ve definitely been infected.

If it’s not there, but you’re still seeing strange behavior, your problem might come from another source. Download an anti-malware program, and do some investigation. We also have some generic advice on how to deal with hijacked browsers How To Clean A Hijacked Web Browser What's more frustrating than launching Firefox only to see that your homepage has been changed without your authorization? Maybe you've even got a shiny new toolbar. Those things are always useful, right? Wrong. Read More , and specifically how to un-hijack Chrome 3 Essential Steps To Get Rid Of Chrome Hijackers In Minutes Have you ever opened your browser of choice and been greeted with a bizarre-looking start page or an unsightly toolbar glued to the top of the page? Restore your browser to tip-top shape. Read More .

If you’re infected with eFast, you’d be wise to download MalwareBytes (which we first covered in 2009 Stop & Delete Spyware With Malwarebytes for Windows It may not be as feature-laden as Spybot Search and Destroy, which has a ridiculous number of tools, but it is a very lightweight alternative with good spyware coverage. Read More ). The developers of this were the ones who discovered eFast, and their anti-virus has the correct definitions to remove it.

Were you infected by eFast? Know anyone who was? Tell me about it in the comments below.

Image Credits:Red Devil’s hands by Alex Malikov via Shutterstock

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    October 21, 2015 at 1:08 pm

    Is eFast limited to Windows or is an equal opportunity malware capable of infecting a browser running under any O/S?

    • Matthew Hughes
      October 26, 2015 at 12:48 pm

      As far as I know, it's Windows exclusive.

  2. Anonymous
    October 20, 2015 at 5:18 pm

    Removing and reinstalling browsers is actually part of my cleanup process. I have a script that copies bookmarks and nukes everything else (or as much as I know of, since Chrome seems to like to dump settings all over the place), then calls scripts to grab clean copies of important packages.

    Honestly, if a computer has internet herpes, start over if possible. If you can't bear to do that, be aware that no cleaning is going to be a guaranteed fix for all issues.

    • Matthew Hughes
      October 26, 2015 at 12:49 pm

      Alternatively, install Faronics Deep Freeze and never worry about malware ever again.

      • Anonymous
        October 26, 2015 at 2:16 pm

        @Matthew Hughes,

        Deep Freeze is fine, but really only for machines where there's no expectation at all that the software state of the machine need change. It's not a bad solution for workstations in a location where they can be supported or managed, but it's kind of a non-starter for home systems or computers that get moved around.

        Microsoft shipped a technology called Steadystate that did the same thing, but it was only supported for Windows XP. Some brave souls have adapted it to Windows 7 via VHD files, but using that requires an Enterprise or Ultimate edition license and, as I understand the licensing, counts as a separate "seat" for licensing purposes.