Hello! I’ll keep this short and simple. Do not, under ANY circumstances install the chrome webstore plugin named ‘RoTracker’ being advertised on the website. It is extremely malicious and at has an automatic system to trick you into allowing your email, password, pin, etc. to be changed, logged to an email, and your account upload 10+ graphic images under games/shirts/ads/etc. to get you punished. They are deleting negative reviews. It is linked below, please report it.
De-obfuscated code from the malicious endpoints found by scraping the webserver https://raw--------.com (redacted for safety purposes, anyone who needs this can message me directly.)
Funny, I saw that ad on Roblox a few hours ago, it redirected to a random group. Could this be some sort of program meant to fool others into thinking legitimate users are advertising this extension instead of a bot account?
So this plugin is quite deep in terms of its functions but here is a super simplified rundown
Almost 24/7 the page is set to a part of the domain where it sends a friend request to this user for logging purposes : TestConce - Roblox
Every few hours or so for a few minutes the page is changed to a separate URL that does the following
Checks for if the users RAP is above 7,500 (I may have calculated the offset wrong)
If the above is true then it sends a friend request to another account here for logging : (3) UserRapTest - Roblox
Sometimes it is also changed to the massive logger I found which is the most malicious logger I have ever seen. It tries taking full control of the user’s account. Here are the most important features of it
It gets you to verify 2auth to remove your pin, change your email and change your password
It runs an ad on your account for the plugin (that I showcased above)
It uploads graphic images as thumbnails for assets such as games on your account
All of this is done at a random time where the plugin just logs you out and hooks into the Roblox login page and adds a custom copycat frame to steal user data. This plugin is by far one of the most effort-packed designs I’ve seen in terms of malware. The best part is that the plugin WORKS as to disguise attention.
I don’t know how people keep falling for this so much. It wasn’t even that long ago that this exact same thing happened before. Do people just not learn from history or something?
I wasn’t hijacked, but more than 2,000 users were as of now and the number is growing (this user count was accumulated in the past 14 days). People aren’t so aware about security as you and I, especially little kids trying to join their favorite youtuber (target audience of this phishing attack).
It’s probably because little kids want to meet someone like Flamingo in experience or another prolific YouTuber. These extensions promise to do that, so that’s why people install them. If an extension is promising to let you join another user who has their joins set to private, then it’s likely not legitimate.
So a clone of the plugin that was mostly used to harass people is a backdoor? Nice…
I’ve reached out to some Google contacts to get this removed ASAP.
EDIT: I’ve also found out the original plugin of this, called “RoFinder”, that was published in March 2023, is also still up, and has 30k+ installs. Kind of unbelievable that hasn’t been taken down, It’s definitely been reported more than enough with all the bad reviews it has. I’ve added this extension ID to be removed from the Chrome store as well, to my ticket, after being forwarded to the web store team shortly upon creation, is now under review, as of very recently.
Hello all, both RoFinder and RoTracker (which were the same thing under different names), have been removed from the Chrome Web Store. As a side note, please don’t install random extensions, especially from an ad, for this exact reason.
If Roblox cared in the slightest they’d have banned all the accounts in question.
Let’s see how many are banned… Real_UserAd - Roblox - Real_UserAd - Not banned UserRapTest - Roblox - UserRapTest - Not banned mikki12lol123456 - Roblox - mikki12lol123456 - The account that is most important due to it being the one that all the stolen limiteds goes to, and of course it’s not banned either.
It’s almost like, y’know, Roblox doesn’t read reports, much less actually care about user safety.
This is incorrect. I did not update the post however the extension was updated to use different accounts then the ones listed here and I subsequently reported those accounts to DevRel privately. Within 24 hours of each report all of the accounts (except 1 which was inactive for 8mo) were banned therefore making the plugin defunct twice. Roblox did take proper initiative in this situation and were very swift to punish the malicious accounts.
Today the extension and it’s counterpart were removed from the chrome webstore and hopefully all of the affected users contacted Roblox and got their refunds/rollbacks. Thank you to all who helped spread the news, reported the extension, and kept others safe. Stay safe guys.
So a clone of the plugin that was mostly used to harass people is a backdoor? Nice…