Malicious extensions for Google Chrome and Microsoft Edge continue to be found in the Chrome Web Store and Microsoft Edge Extension Store. Their total number of installations is over 3 million.
Malicious add-ons for Chrome and Edge steal user data and redirect users to fraudulent resources.The malicious extensions detected by the Avast Threat Intelligence lab look like add-ons for Instagram, Facebook, Vimeo and other popular online platforms.
Avast discovered the extensions in November 2020, but the lab estimates that the threats could have been used for malicious purposes for several years. Several extension reviewers from the Chrome Web Store reported link spoofing cases back in December 2018.
Also, Avast researchers managed to detect malicious modules that are responsible for loading additional threats to target systems.
Attackers collect data about users’ dates of birth, email addresses and device information, including the time of the first login, the time of the last login, the device name, the operating system, the browser used, the browser version, and even the IP address (this data can be used to find the user’s approximate geographic location).
The ultimate goal of cybercriminals is to monetize user traffic by automatically redirecting to third-party domains.
Moreover, these extensions can also redirect users of infected systems to sites filled with advertisements or used as phishing landing pages.
The malicious code is hidden inside the extensions, and this greatly complicates the task of detection for both researchers and infected users.
As one of the detection bypass tactics, the malware monitors what the victim is looking for and is not activated if it searches for information from one of its own domains.
The resulting infection can be avoided by web developers with sufficient knowledge of how to detect and study malicious background activity.
Avast provides a complete list of Chrome and Edge extensions that have been confirmed to have malicious activity:
- Direct Message for Instagram
- Direct Message for Instagram™
- DM for Instagram
- Invisible mode for Instagram Direct Message
- Downloader for Instagram (1,000,000+ users)
- Instagram Download Video & Image
- App Phone for Instagram
- App Phone for Instagram
- Stories for Instagram
- Universal Video Downloader
- Universal Video Downloader
- Video Downloader for FaceBook™
- Video Downloader for FaceBook™
- Vimeo™ Video Downloader (500,000+ users)
- Vimeo™ Video Downloader
- Volume Controller
- Zoomer for Instagram and FaceBook
- VK UnBlock. Works fast.
- Odnoklassniki UnBlock. Works quickly.
- Upload photo to Instagram™
- Spotify Music Downloader
- Stories for Instagram
- Upload photo to Instagram™
- Pretty Kitty, The Cat Pet
- Video Downloader for YouTube
- SoundCloud Music Downloader
- The New York Times News
- Instagram App with Direct Message DM
Microsoft and Google are currently examining the findings of the Avast researchers. Until the extensions are removed, users should disable or uninstall extensions and then scan for malware on the system.
Let me remind you that Chrome has blocked some extensions due to data manipulation using cookie stuffing. And, for example, Microsoft will force opening some sites in Edge instead of Internet Explorer.