by Daniel Sim
Last week users of Plug in Speed got in touch to report some unusual goings-on in their shops. We investigated and were shocked by what we found.
Down the rabbit hole
However we found these shops had a script that was pretending to be jQuery but was in fact very suspicious. It called itself 'jQuery' but did none of the things jQuery does.
In reality what it was doing was very obscure, all we know is it tries to hide itself and sleep for a lot of different requests apart from some very specific criteria. For those it makes a request to another website's product page.
Our best analysis is that this script is inflating visitor numbers on other shops. Want to see the script for yourself? We've saved the suspicious script here.
Eventually we tracked this script to a free Shopify app. The app developer was removed from the Shopify App Store (presumably for some shady behaviour like this!) but their apps were still active in many, many Shopify stores.
Even though this app and suspicious script were nothing to do with our app, we helped our Plug in Speed users clean it up for no charge.
How safe is a Shopify app?
When you install a Shopify app the permissions it requires to do its thing are requested from you. This can be things like reading your products, manipulating your data or even modifying your entire theme.
Apps can have a lot of power! Granting it permission to read and write your data and theme can impact both your business and your customers.
In the suspicious script we found above, the app in question had read/write theme permission. This allowed it to make any modifications it wanted to the theme, including adding scripts that do anything at all. Because it can modify the theme on demand this also means it can avoid detection by only appearing at certain times of the day.
When we say the scripts can do anything at all this can be so many different things. A bad app could aim to infect your visitors with malware, run a bitcoin miner, redirect to shady sites, fake traffic and more.
Researching trustworthy Shopify apps
The bottom line is that you should trust the app developer before installing an app on your shop. With thousands of apps to police, unfortunately even apps in the Shopify App Store (like the one we found) can hide suspicious behaviour.
- Read their Shopify app reviews, good and bad
- Visit their website
- Are there names and a company address or is it just a faceless developer that could disappear 'into the night' after doing something malicious
- Try contacting their support before installing to see how professional their response is
Protecting your Shopify store from malware
Prevention is the best protection. With so many apps available it's so tempting to install a bunch! But keep control of exactly what has access to your Shopify theme.
You can use a scanner like Sucuri to check if your shop is currently infected.
Google will pick this up pretty quickly too, so check their Safe Browsing search to make sure you haven't been flagged.
It could also be a developer working on your shop who either knowingly or unknowingly adds a malicious script. Make sure you only enable collaborator accounts and staff logins for as long as they need to do their work.
Keep regular backups of your theme so that you can go back to a clean version quickly and easily if required.
And finally, when an app or person asks you to add a script to your shop do your due diligence on who is asking you to do that and why. Be very, very careful if they ask you to add it to your checkout pages (a generally unsupported customisation/hack on Shopify)- this is potentially dangerous and can result in your customer's payment details being compromised.
Thankfully malware and suspicious scripts on Shopify are pretty rare. We've been on the platform for years and have crossed paths with thousands of stores. By following the advice above you can keep your shop clean and malware-free.