According to reports, researchers found 500 malicious Google Chrome browser extensions. These extensions secretly upload the user’s private browsing data to a server that the attacker control. At present, these browser extensions no longer exist. However, the malicious plugins have been downloaded millions of times in Google’s Chrome web application. Jamila Kaya and Jacob Rickerd of Duo Security are behind the discovery of these malicious extensions. They stated:
“These extensions usually provide advertising services, but we find that they are not so simple. We have collected dozens of extensions in cooperation with each other and identified 70 patterns that match the sample among 1.7 million users”
Click here to view the comprehensive list of malicious extensions.
These browser extensions mainly customize Web browsers, modify user interfaces, block advertisements, and manage cookies. According to the researchers, these specific extensions were actually part of a large-scale malicious advertising campaign that also collects browser data.
Malicious advertising is often used as a fraudulent activity to leak user data. Generally, criminals redirect users from legitimate online advertising streams to pages with malware. The researchers believe that the malicious activity behind these plugins has been active since January 2019. However, its activity became prevalent between March and June. After they reported 70 malicious extensions they first found to Google, the tech giant subsequently found 430 extensions related to malicious advertising campaigns. These extensions are barely rated in the Chrome Web Store, and their source code is almost identical.
Once users download them, these extensions connect the browser client to a command and control (C2) server. From there, it leaks the user’s private browsing data without the user’s knowledge.
Google’s statement on these malicious extensions
A spokesperson for Google said: “We appreciate the work of the research community and when we receive reports of extensions that violate our policies, we take immediate action and use these incidents as training materials. We do this to improve our automated and manual analysis techniques. “