The well-known extension Dark Reader has previously found malicious clones of the extension in Google, Firefox, and Microsoft browser stores.
The cloned version was uploaded to the browser store with the name or approximate name read in dark colors, and successfully passed the review of these browser developers.
This extension has been installed more than 2 million times on the Google Chrome platform alone. As a popular application, Multiple Dark Reader may also be actively downloaded and installed by a large number of users.
The Google Chrome Web Store has the most extensions and therefore has experienced multiple security issues, mainly because some extensions have passed audits to encrypt or hide malicious code.
The Dark Reader extension was attacked by the attacker this time. The attacker made a cloned version with the hidden malicious code and uploaded it to various browser stores for distribution.
Of course, in order to pass the approval of Firefox, Google, and Microsoft, the attacker was also ingenious, changing the malicious script suffix to the image format and then triggering it five days after installation. Therefore, the vast majority of users will not find that there is a problem with this extension.
The developer immediately contacted the browser developers after discovering the problem, and the cloned version containing the malicious code has been completely removed from various browser stores.
It should also be vigilant for browser extensions because more and more attackers are now targeting browser platforms to try to steal user data.
The most common behaviors of malicious extensions mainly include forcibly changing the homepage, tampering with the default search engine, hijacking fake or pop-up advertisements, and stealing data.
The malicious version of the Dark Reader extension this time is to steal user data. It uses a fake form to monitor the webpage opened by the user and send it to the designated server.