More than 500 malicious Chrome extensions have been removed from Google’s Web Store, all of which were discovered to be part of a large malvertising campaign. The extensions contained malicious ads and were siphoning users’ browsing data to suspicious servers. The findings come from a joint investigation carried out by security researcher Jamila Kaya and Duo Security.
How did the researchers come across the malicious Chrome extensions?
As explained by the researchers in their original report, Jamila Kaya contacted Duo Security about “a variety of Chrome extensions she identified to be operating in a manner that initially seemed legitimate”. However, the more detailed analysis revealed that the extensions were infecting users’ browsers and exfiltrating data as part of a larger campaign. In truth, the extensions were part of a network of copycat browser plugins:
These extensions were commonly presented as offering advertising as a service. Jamila discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and utilize CRXcavator.io to identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.
The good news is that Google was quick to respond, and took actions immediately after being notified about the findings. Once the report was submitted, the tech giant worked to validate the findings and went on to fingerprint the extensions, the researchers shared. As a result of this cooperation, Google was able “to search the entire Chrome Web Store corpus to discover and remove more than 500 related extensions”.
As a matter of fact, we have published numerous specific articles about similar malicious browser extensions that affect all popular browsers (Firefox, Chrome, Opera, Internet Explorer, Safari, Edge, etc.). An example of such an extension is the so-called Maps Frontier.
In order to install on a user’s computer, Maps Frontier and similar apps use different strategies. The program can be automatically installed on your computer in the form of an additional offer in a freeware installation package. Such potentially malicious extensions are often bundled in a freeware installer of a third-party program, and users end up downloading them unintentionally.
However, malvertising is also an option, as pointed out by the researchers that uncovered the malicious extensions in Chrome Web Store:
Increasingly malicious actors will use legitimate internet activity to obfuscate their exploit droppers or command and control schemas. A very popular way to do this is to utilize advertising cookies and the redirects therein to control callbacks and evade detection. This technique, called “malvertising” has become an increasingly common infection vector in Jamila’s experience, and is still hard to detect today, despite being prominent for years.
As a result of this malvertising campaign, more than 1.7 million users were affected. This number indicates the scale at which browser extensions can be used as an attack vector quite effectively. „As part of good security hygiene, we recommend users regularly audit what extensions they have installed, remove ones they no longer use, and report ones they do not recognize,” the researchers conclude.