Security researchers reported a list of 295 Chrome extensions that hijack Google and Bing search results, and inject ads. The extensions have been installed by more than 80 million users of Google’s browser.
AdGuard security researchers recently came across the set of 295 Chrome extensions with potentially malicious behavior. The security company which is specialised in ad-blocking solutions, says that the fake extensions were available for download on the official Chrome Web Store.
The researchers have been investigating fake ad blockers, leading to the discovery of the 295 malicious Chrome extensions. Some of the extensions were presented as ad blockers, and others as weather forecast widgets and screenshot capture tools. Of the 295 extensions, 245 were found to be quite simple with nearly no other function that applying a custom background for new tab pages in the Chrome browser.
How Did the 295 Malicious Chrome Extensions Work?
According to AdGuard’s technical analysis, all of the utilities loaded malicious code from a particular domain (fly-analytics[.]com), and then injected ads within Google and Bing search results.
“This is the most large-scale group of malicious extensions from my experience. It includes 295 extensions with total number of 80 million users if we’re to believe Chrome Web Store data. This group is especially curious because of the measures they take to conceal their actions,” said one of the researchers from AdGuard’s team.
The issue with such extensions is that “Chrome Web Store is getting flooded with fake popular extensions clones with undeniably cheated number of active users“.
Some of the 295 malicious Chrome extensions include names such as “ScreenShot & Screen Capture Elite”, “Kawaii Wallpaper HD Custom New Tab”, “Shadow Of The Tomb Raider Wallpaper New Tab”, “Weather forecast for Chrome™”, “Unicorn Wallpaper HD Custom New Tab”, “Lil Pump HD New Tab”, “GTA 5 Grand Theft Auto”, etc.
How to Avoid Installing a Fake Browser Extension
Some general security tips include not installing browser extensions at all, or installing only extensions developed by trustworthy authors. In addition:
- Don’t believe what you read in the extension’s description.
- Reading the users’ reviews won’t help as well. Most of the malicious extensions have excellent reviews and yet they are malicious.
- Don’t use the Chrome Web Store internal search, follow the links on the trusted developers’ websites directly, AdGuard advises.
Malicious Extensions on Chrome Web Store: Same Old Story
In February 2020, research revealed that more than 500 malicious Chrome extensions were removed from Google’s Web Store, all of which were discovered to be part of a large malvertising campaign. The extensions contained malicious ads and were siphoning users’ browsing data to suspicious servers. The findings came from a joint investigation carried out by security researcher Jamila Kaya and Duo Security.
As a result of this malvertising campaign, more than 1.7 million users were affected, showing the scale at which browser extensions can be utilized as an attack vector.
This is not the first time AdGuard researchers come across malicious or fake ad-blocking extensions. In April, 2018, the team revealed evidence that at least twenty million Chrome users had been tricked into downloading and installing rogue browser extensions concealed as ad blocking software.