More than 500 malicious Chrome extensions were removed by Google from its official Web Store. The extensions were removed after a two-months long investigation done by security researcher Jamila Kaya and Cisco’s Duo Security team.
The extensions that were removed operated by injecting malicious ads (malvertising) inside users’ browsing sessions. These malicious codes injected by the extensions activated under certain conditions and redirected users to specific sites. The destination might either be an affiliate link on legitimate sites or would be something malicious like a malware download site or a phishing page.
According to a report the extensions were part of a larger malware operation which was active for at least two years. The research team believes that the group who planned this operation might have been active since the early 2010s.
The security researcher Jamila Kaya said that she discovered the malicious extensions during routine threat hunting when she found visits to malicious sites which had a common URL pattern.
By using CRXcavator which is a service for analyzing Chrome extensions, Kaya discovered an initial cluster of extensions that run on top of a nearly identical codebase, but used various generic names, with little information about their true purpose. She identified more than a dozen extensions that shared a pattern and then on contacting Duo, she discovered the entire network.
According to Duo, these first series of extensions were installed by more than 1.7 million Chrome users. Upon contacting Google, the tech giant deleted all the extensions.
Google on further investigation found more extensions that share the same pattern, and banned more than 500 extensions, in total. However, the total count of downloads of these extensions are not known but is believed to be in million range.
Usually the extensions engage in inserting legitimate ads inside a user’s browsing session, with the operators getting profit from showing ads.
The striking feature of this scheme is the use of “redirects” which hijacked the users away from their intended web destinations in a very noisy and abrasive manner that was hard to ignore or go unnoticed.
A list of extension IDs that were part of this scheme are listed in the Duo report. Besides banning the extensions from the official Web Store, Google also deactivated them inside every user’s browser. They also marked the extension as “malicious” so users would know to remove it and not reactivate it.