Almost a dozen malicious extensions with 1.7 million downloads in Google’s Chrome Web Store have the ability to track users, steal browser activity, and redirect them to potentially unsafe web addresses.
Despite this, most of the add-ons provide the advertised functionality and pose as legitimate tools like color pickers, VPNs, volume boosters, and emoji keyboards.
Researchers at Koi Security, a company that provides a platform for security self-provisioned software, discovered the malicious extensions in the Chrome Web Store and reported them to Google.
While some of the extensions no longer appear in the store, many of them still remain available.
Two of the Chrome extensions featuring tracking code
Source: BleepingComputer
Alarmingly, many of those extensions carry verification badges, display hundreds of positive reviews, and appear prominently on the Chrome Web Store, misleading users about their safety.
Users should check for the following add-ons in the Chrome browser and remove them as soon as possible:
- Color Picker, Eyedropper — Geco colorpick
- Emoji keyboard online — copy&paste your emoji
- Free Weather Forecast
- Video Speed Controller — Video manager
- Unlock Discord — VPN Proxy to Unblock Discord Anywhere
- Dark Theme — Dark Reader for Chrome
- Volume Max — Ultimate Sound Booster
- Unblock TikTok — Seamless Access with One-Click Proxy
- Unlock YouTube VPN
- Unlock TikTok
- Weather
One of them, Volume Max — Ultimate Sound Booster, drew attention last month when researchers at LayerX flagged it for its potential to spy on users; however, they could not confirm any malicious activity at the time.
Risky Chrome extension flagged by two security teams
Source: BleepingComputer
According to the researchers, the malicious functionality resides in the background service worker of each extension. It uses the Chrome Extensions API to register a listener that activates every time a user navigates to a new webpage.
This listener captures the URL of the visited page and sends the information to a remote server, along with a unique tracking ID for each user.
The server can then respond with redirection URLs, effectively hijacking the user’s browsing activity and potentially sending them to unsafe destinations that enable cyberattacks.
However, Koi Security did not observe malicious redirections during their testing, even though the possibility exists.
Furthermore, the malicious code did not exist in the initial versions of the extensions. Developers introduced it later through updates.
Google’s auto-update system silently delivers the newest versions to users without requiring any user approval or interaction.
As a result, some of these extensions likely remained safe for years before being hijacked or compromised by external actors who inserted the malicious code.
BleepingComputer contacted several publishers to ask about this possibility, but none have responded yet.
Before publishing this article, Koi Security researchers also discovered that cybercriminals planted malicious extensions in the official Microsoft Edge store, which shows a total of 600,000 downloads.
“Combined, these eighteen extensions have infected over 2.3 million users across both browsers, creating one of the largest browser hijacking operations we’ve documented,” the researchers say.
They recommend users immediately remove all listed extensions, clear browsing data to eliminate tracking identifiers, scan their systems for malware, and monitor their accounts for suspicious activity.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News