Malicious extensions in the news again? Not really! Well, unfortunately, but you probably aren’t surprised at all and you certainly aren’t happy about it. In February, Google removed more than 500 malicious extensions from the Chrome Web Store that were ads across millions of Chrome browsing sessions. In June, Awake Security reported another 100 of 15,160 domains. Now, according to Avast, after they were first found by CZ.NIC, there are 15 more users should delete right now!
Based on their recent findings, there are a total of 28 extensions (15 in Chrome and 13 in Edge) primarily targeting Facebook and Instagram usage scenarios instead redirect user traffic to ads and phishing sites and collect their personal information such as their birth dates, email addresses and active devices. Not only that, they also collect browsing data and they have the ability to download malware directly to a user’s device (but Chromebooks cannot receive malware)!
Avast researchers said they believe the extension developers have campaigned to hijack user traffic for monetary gain, stating that “for every redirection to a third-party domain, cyber criminals would receive payment.”
“Our hypothesis is that the extensions were either deliberately created with the built-in malware, or that the author waited for the extensions to become popular and then pushed an update with the malware,” said Avast researcher Jan Rubin. “It could also be that the author sold the original extensions to someone else after creating them and his client introduced the malware afterward.”
Avast blog
Apparently Avast’s Threat Intelligence team started tracking this threat back in November, but they think it could have been up and running for years as evidenced by some reviews of the extensions. The craziest thing is that most of these extensions are still available for download and since Avast notified Google of the issue, only a few have been removed from the web store, although they are said to be investigating them all at the moment.
This is not okay. Extensions have long been the weak link in the Chrome browser’s armor – it’s just a real security issue. To be fair, it’s difficult, if not nearly impossible, to master the experience when there’s so much input and influence from third parties and the Chrome Web Store basically feels like the Wild West. However, Google is doing a lot of work to change that, including creating some sort of ‘seal of approval’ for extensions that help mitigate privacy concerns, which will be implemented early next year, and even giving you direct control over what data a extension has access and on which websites.
There’s no question that these problems will persist well into the New Year, and there’s certainly a lot of work to be done, so we’ll have to see what other creative solutions Google can come up with to wrestle extensions into submission. I would vote that we just remove them completely to fix the problem, but a lot of extensions like Honey, Toby, Stadia Enhanced, Cog, uBlock Origin, and more do really good for Chrome users and deserve to exist. This means that Google should instead be more careful with the situation and separate the sheep from the goats, so to speak, and that will take time.
Let me say here and now that if you have any of the following extensions installed on your computer, remove it immediately! Do not under any circumstances install the extensions below – we only link them so that you can fully verify their identity. You can view your extensions by typing chrome://extensions in your URL bar or omnibox above.
