Have you been using The Great Suspender Chrome extension? If so, you should beware that the extension was found to contain malware. Google already removed the popular add-on and even deactivated it on users’ computers.
The Malicious Capabilities of The Great Suspender Extension
According to a GitHub post by Calum McConnell, the old maintainer of The Great Suspender most likely sold the extension to unknown parties with intent to exploit users in advertising fraud, tracking, etc.
In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code running since November, and it does not appear to load the compromised script. The malicious maintainer remains in control, however, and can introduce an update at any time. Well, they could until Google nuked the extension from their store, the researcher explained.
The extension had more than two million installations. Its original purpose was to suspend tabs that aren’t in use and replace them with a blank grey screen before they were reloaded. The extension began behaving maliciously last November, resulting in Microsoft blocking it on its Edge browser. The blocked version was 7.1.8.
It appears that the original developer, Dean Oemcke, sold the extension in June last year, to an unknown party. Two new versions followed shortly after the purchase, released in Chrome Web Store.
If you wish to continue using the extension with its original intent, you can download version 7.1.6 from GitHub. Note that you need to enable Chrome Developer mode in order to use it.
However, enabling the developer mode can have more consequences, as threat actors can abuse the Chrome sync feature to bypass firewalls and exfiltrate data. The new attack vector was discovered by security researcher Bojan Zdrnja. You can read more about his discovery in the technical write-up.
Last year, security researchers reported a list of 295 malicious Chrome extensions that hijacked Google and Bing search results to inject ads. The extensions were installed by more than 80 million Chrome users. Some of those malicious Chrome extensions included names such as “ScreenShot & Screen Capture Elite”, “Kawaii Wallpaper HD Custom New Tab”, “Shadow Of The Tomb Raider Wallpaper New Tab”, “Weather forecast for Chrome™”, “Unicorn Wallpaper HD Custom New Tab”, “Lil Pump HD New Tab”, “GTA 5 Grand Theft Auto.”