Malware, Threat Management

3 million users hit with infected Google Chrome and Microsoft Edge extensions

The Google logo adorns the outside of the Google building in New York City. (Drew Angerer/Getty Images)

Researchers at Avast Wednesday reported that some 3 million people may have been infected with malware hidden in at least 28 third-party Google Chrome and Microsoft Edge extensions associated with some of the world’s most popular platforms.

According to the researchers, the malware has the functionality to redirect user’s traffic to ads or phishing sites and to steal people’s personal data, such as birth dates, email addresses, and active devices.

The extensions hit by the malware include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, and other browser extensions on the Google Chrome browser and some on Microsoft’s Edge browser. The researchers have identified malicious code in the Javascript-based extensions that let the extensions download further malware onto a user’s PC. 

Avast’s threat intelligence team started monitoring this threat in November 2020, but believes that it could have been active for years without anyone noticing. They say there are reviews on the Chrome Web Store mentioning link hijacking from as far back as December 2018.

According to the researchers, users have also reported that these infected extensions are manipulating their internet experience and redirecting them to other websites. When a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit.

A user’s privacy gets compromised by this procedure, because a log of all clicks gets sent to these third-party intermediary websites. The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign-in time, last log-in time, name of the device, operating system, used browser and its version, and even IP addresses, which are potentially used to find the user’s approximate geographical location history.

Avast researchers believe the objective behind these activities is to monetize the traffic itself. For every redirection to a third-party domain, the cybercriminals would receive a payment. In addition, the extension also has the capability to redirect the users to ads or phishing sites. 

“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware,” said Jan Rubin, a malware researcher at Avast. “It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards.”

Austin Merritt, cyber threat intelligence analyst at Digital Shadows, added that when threat actors lure users into downloading browser extensions, they're rarely legitimate. Because Google Chrome accounts for about 70 percent of the browser market share, Merritt said using Chrome extensions to transfer malware has become an efficient tactic to target users. In response to the ongoing problem, in June 2020, Google removed 106 Chrome extensions that were secretly collecting sensitive user data. 

“Any time a user clicks on a link, the extensions send information about the click to an attacker's control server,” Merritt said. “This can include sensitive personal information that can later be monetized on cybercriminal marketplaces. Attackers can also monetize the traffic itself since extensions could realistically redirect users to pay-per-click advertisements or phishing pages.”

Reesha Dedhia, security evangelist at PerimeterX, said users should conduct an audit of their current Chrome browser extensions and uninstall any suspicious ones. She said it’s important for people to stay cautious and look for warning signs when downloading extensions in the future. Such warning signs include checking the popularity of the extensions, including number of users and reviews. Extensions with only a few hundred users, and few or no reviews, should be considered suspicious.

“Users should also pay close attention to the permissions and extension requests,” Dedhia said. “If it requires any privileged access, such as to read or change data, or access to a broad set of sites one visits, it might be best to pass. Users should also keep their browsers updated and use anti-virus and endpoint security solutions. Website owners should look for solutions that can actively detect, manage and block malicious browser extensions on the client side.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.