Malicious extensions for Chrome and Edge are still available for installation

by Emma Davis
December 19, 2020
Malicious extensions for Chrome and Edge
Written by Emma Davis

Malicious extensions for Google Chrome and Microsoft Edge continue to be found in the Chrome Web Store and Microsoft Edge Extension Store. Their total number of installations is over 3 million.

Malicious add-ons for Chrome and Edge steal user data and redirect users to fraudulent resources.

The malicious extensions detected by the Avast Threat Intelligence lab look like add-ons for Instagram, Facebook, Vimeo and other popular online platforms.

Avast discovered the extensions in November 2020, but the lab estimates that the threats could have been used for malicious purposes for several years. Several extension reviewers from the Chrome Web Store reported link spoofing cases back in December 2018.

Also, Avast researchers managed to detect malicious modules that are responsible for loading additional threats to target systems.

Every time a user clicks on a link, the extensions send information about the click to the attacker’s C&C server. That in turn can send a command to redirect the victim from the target website to the new captured URL before redirecting him to the desired web resource.the researchers report.

Attackers collect data about users’ dates of birth, email addresses and device information, including the time of the first login, the time of the last login, the device name, the operating system, the browser used, the browser version, and even the IP address (this data can be used to find the user’s approximate geographic location).

The ultimate goal of cybercriminals is to monetize user traffic by automatically redirecting to third-party domains.

Moreover, these extensions can also redirect users of infected systems to sites filled with advertisements or used as phishing landing pages.

Backdoors in extensions are very well hidden, and extensions only begin to exhibit malicious behaviour a few days after installation, making it difficult for any antivirus software to detect a threat.explained Jan Rubin, Avast malware researcher.

The malicious code is hidden inside the extensions, and this greatly complicates the task of detection for both researchers and infected users.

As one of the detection bypass tactics, the malware monitors what the victim is looking for and is not activated if it searches for information from one of its own domains.

The resulting infection can be avoided by web developers with sufficient knowledge of how to detect and study malicious background activity.

Avast provides a complete list of Chrome and Edge extensions that have been confirmed to have malicious activity:

  • Direct Message for Instagram
  • Direct Message for Instagram™
  • DM for Instagram
  • Invisible mode for Instagram Direct Message
  • Downloader for Instagram (1,000,000+ users)
  • Instagram Download Video & Image
  • App Phone for Instagram
  • App Phone for Instagram
  • Stories for Instagram
  • Universal Video Downloader
  • Universal Video Downloader
  • Video Downloader for FaceBook™
  • Video Downloader for FaceBook™
  • Vimeo™ Video Downloader (500,000+ users)
  • Vimeo™ Video Downloader
  • Volume Controller
  • Zoomer for Instagram and FaceBook
  • VK UnBlock. Works fast.
  • Odnoklassniki UnBlock. Works quickly.
  • Upload photo to Instagram™
  • Spotify Music Downloader
  • Stories for Instagram
  • Upload photo to Instagram™
  • Pretty Kitty, The Cat Pet
  • Video Downloader for YouTube
  • SoundCloud Music Downloader
  • The New York Times News
  • Instagram App with Direct Message DM
Our hypothesis is that these extensions were either originally created with malicious content, or the author waited for the extensions to gain some popularity and then released an update with malicious code. It is also possible a scenario where the author sold the original extensions to the attackers who added malicious content.also noted Yan Rubin.

Microsoft and Google are currently examining the findings of the Avast researchers. Until the extensions are removed, users should disable or uninstall extensions and then scan for malware on the system.

Let me remind you that Chrome has blocked some extensions due to data manipulation using cookie stuffing. And, for example, Microsoft will force opening some sites in Edge instead of Internet Explorer.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending