September 25, 2020

Over 500 malicious Chrome extensions collected user’s data

2 min read

After receiving feedback from security researchers, Google has removed more than 500 extensions with malicious behavior such as ad redirects, secretly uploaded private data from millions of users.

Some of these malicious extensions have been released for many years, and others have just been online for a short time, and these malicious extensions have been downloaded 1.7 million times.

Although Google says the company will use machine learning and automated scanning to detect extensions, however, this will not completely solve the problem of malicious extensions.

Internal Revenue Service phishing

“Phishing warning”by Christiaan Colen is licensed under CC BY-SA 2.0

Security researchers, Jamila Kaya and researchers from Cisco-owned Duo Security said

“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users’ knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”

In the analysis of malicious behavior, researchers found that the normal operation of these malicious extensions is to implant different ads when users open certain pages.

At the same time, if users open the e-commerce shopping website, they will also hijack and add rebate links, but these actions will not cause serious consequences.

After in-depth analysis, researchers found that these malicious extensions also hijack user access, redirecting user access to phishing sites made by gangs.

If the user accidentally enters the account password or financial information on these phishing websites, it may lead to the consequences of account leakage or credit card theft.

At present, Google has removed these extensions from users and stores, and we also recommend that users do not install any unfamiliar extensions.