Jump to content

Google removes 500+ malicious Chrome extensions from the Web Store


Recommended Posts

A network of malicious Chrome extensions was injecting malicious ads in millions of Chrome installs.




Google has removed more than 500 malicious Chrome extensions from its official Web Store following a two-months long investigation conducted by security researcher Jamila Kaya and Cisco's Duo Security team.


The removed extensions operated by injecting malicious ads (malvertising) inside users' browsing sessions.


The malicious code injected by the extensions activated under certain conditions and redirected users to specific sites. In some cases, the destination would be an affiliate link on legitimate sites like Macys, Dell, or BestBuy; but in other instances, the destination link would be something malicious, such as a malware download site or a phishing page.


According to a report published today and shared with ZDNet, the extensions were part of a larger malware operation that's been active for at least two years.


The research team also believes the group who orchestrated this operation might have been active since the early 2010s.

Millions of users believed to be impacted

Responsible for unearthing this operation is Kaya. The researcher told ZDNet in an interview that she discovered the malicious extensions during routine threat hunting when she noticed visits to malicious sites that had a common URL pattern.


Leveraging CRXcavator, a service for analyzing Chrome extensions, Kaya discovered an initial cluster of extensions that run on top of a nearly identical codebase, but used various generic names, with little information about their true purpose.



"Individually, I identified more than a dozen extensions that shared a pattern," Kaya told us. "Upon contacting Duo, we were able to quickly fingerprint them using CRXcavator's database and discover the entire network."


According to Duo, these first series of extensions had a total install count of more than 1.7 million Chrome users.


"We subsequently reached out to Google with our findings, who were receptive and collaborative in eliminating the extensions," Kaya told ZDNet.


After its own investigation, Google found even more extensions that fit the same pattern, and banned more than 500 extensions, in total. It is unclear how many users had installed the 500+ malicious extensions, but the number is more than likely to be in the millions range.

Extensions disabled in users' Chrome installs

Networks of malicious Chrome extensions have been unearthed in the past. Typically, these extensions usually engage in injecting legitimate ads inside a user's browsing session, with the extension operators earning revenue from showing ads. In all cases, the extensions try to be as non-intrusive as possible, so not to alert users of a possible infection.


What stood out about this scheme was the use of "redirects" that often hijacked users away from their intended web destinations in a very noisy and abrasive manner that was hard to ignore or go unnoticed.


However, in the current state of the internet where many websites use similar advertising schemes with aggresive ads and redirects, many users didn't even bat an eye.


"While the redirects were incredibly noisy from the network side, no interviewed users reported too obtrusive of redirects," Kaya told ZDNet.


A list of extension IDs that were part of this scheme are listed in the Duo report. When Google banned the extensions from the official Web Store, it also deactivated them inside every user's browser, while also marking the extension as "malicious" so users would know to remove it and not reactivate it.



Link to comment
Share on other sites

  • 3 weeks later...

500 Malicious Chrome Extensions Impact Millions of Users

malicious chrome extensions



The malicious Chrome extensions were secretly collecting users’ browser data and redirecting them to malware-laced websites:

Researchers say that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers, and redirecting victims to malware-laced websites. The browser extensions, all of which have now been removed, were downloaded millions of times from Google’s Chrome Web Store.


Browser extensions are used for customizing web browsers, modifying user interfaces, blocking ads and managing cookies. But researchers said that the malicious extensions they discovered are instead part of a massive malvertising campaign that also harvested browser data. Malvertising often is used as a vehicle for fraudulent activity, including data exfiltration, phishing or ad fraud. In this particular instance, bad actors were redirecting victims from legitimate online ad streams to malware-laced pages.


“These extensions were commonly presented as offering advertising as a service,” according to Jamila Kaya, an independent security researcher, and Jacob Rickerd, with Duo Security, in a Thursday analysis. “[Security researcher Jamila Kaya] discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and… identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.”


Researchers believe that the actor behind this campaign was active since January 2019, with  activity escalating between March and June. After researchers first identified 71 malicious extensions and reported their findings to Google, the tech giant then identified 430 additional extensions that were also linked to the malvertising campaign, they said. The extensions had almost no ratings on Google’s Chrome Web Store, and the source code of the extensions are all nearly identical.


Once downloaded, the extensions would connect the browser clients to a command-and-control (C2) server and then exfiltrate private browsing data without the users’ knowledge, researchers said.


The extension would also redirect browsers to various domains with advertising streams. While a large portion of these ad streams were actually benign (leading to ads for Macy’s, Dell or Best Buy), these legitimate ad streams were coupled with malicious ad streams that redirected users to malware and phishing landing pages.


The campaign highlights various security issues that browser extensions can introduce, researchers said. In 2017, a malicious Google Chrome extension being spread in phishing emails stole any data posted online by victims. In 2018, four malicious extensions were discovered in the official Google Chrome Web Store with a combined user count of more than 500,000. And, in January, the Google Chrome and Mozilla Firefox teams cracked down on web browser extensions that stole user data and executed remote code, among other bad actions.


chrome extension


“Browser extensions are the Wild Wild West of the internet,” said Ameet Naik, security evangelist at PerimeterX, in an email. “There are approximately 200,000 extensions available on the Chrome store alone. What most users don’t realize is that extensions have full access to all of the data on a page including your email, banking information and credit card numbers. While many extensions provide value added services, there’s little to stop them from collecting and abusing user data.”


Google for its part has stepped up to the plate in its efforts to bar malicious extensions. The tech giant has implemented new user data privacy policy guidelines, requiring all extensions that handle user data to have a privacy policy, gain consent from the user, and only use the minimum required amount of permissions. Google has also implemented a program which will pay out bounties to researchers who find extensions that are violating this policy.


“We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” said a Google spokesperson in a statement. “We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”



Link to comment
Share on other sites

Similar topics merged.


(Older news (Feb 14 in this case) is more likely to already have been posted. Please use Search, thanks.)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...