Google always checks their websites to see whether the downloadable executables or host software are affecting any negative impact on its users. But, somehow Google just removed almost 500 or more malicious Chrome extensions after security researchers discovered malware operations that implant nasty ads in users browsing sessions from the Google Chrome browser web store.
A security researcher Jamila Kaya and Cisco’s Duo Security team were investigating the Chrome extensions from the last two-months and successfully removed 500 plus extensions from the web store. Some of the legitimate websites like Macys, Dell, or BestBuy are affected due to affiliate(malicious) links on their websites along with malware download or phishing pages. These malicious codes are activated under specific conditions and redirect users while browsing.
At the initial stage, these malicious are appeared to be legitimate but they infect users and steal their sensitive data.
Malicious Chrome Extensions: 500 Plus
Jamia Kaya and Cisco Duo worked together and used Duo free “Cisco’s Duo security tool” named CRXcavator, which uncovered large malware from Google Chrome extensions. By working together, they “utilize CRXcavator.io to identify 70 matching patterns across 1.7 million users and escalate concerns to Google”.
“Individually, I identified more than a dozen extensions that shared a pattern,” Kaya said in a report. “Upon contacting Duo, we were able to quickly fingerprint them using CRXcavator’s database and discover the entire network.”
CRXcavator is a Chrome extension security check tool that analyses the extensions and provides the risks associated. Users can check with this tool before installing any extensions in the Google Chrome browser by using the username or extension ID and it will show you the complete report.
According to Cisco’s report “Once installed the malicious extensions connect the “browser client to a command and control architecture, exfiltrate private browsing data without the user’s knowledge, expose the user to the risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms”.
“We subsequently reached out to Google with our findings, who were receptive and collaborative in eliminating the extensions,” According to Kaya.
These malicious activities with the help of extensions, earn more revenue by showing many ads to users. In other cases, these malicious extensions tried to be more forward without alerting users and affect browsers.
“While the redirects were incredibly noisy from the network side, no interviewed users reported too obtrusive of redirects,” as per Kaya.
Earlier, the primary activity of the above campaign was to detect “Ad Fraud” and they achieved and succeeded by redirecting the users to different websites. A large portion of ads stream redirects to legitimate websites like Dell, Macy’s and BestBuy and other malicious websites.
Some researchers believe that these threats or malicious contents are active for at least seven to eight months, since January 2019 and they are actively or rapidly growing.
All extension IDs affected by this problem can be found in the Duo Report. Google has already deactivated these extensions for Chrome Browser. Therefore they pose no threat for new users.
We hope that you will be more aware of the Chrome extensions malware and if you have any suggestions or recommendations, feel free to mention in the comments section below.