More than three million Internet users are believed to have installed 15 Chrome and 13 Edge extensions containing malicious code, security company Avast said today.
The 28 extensions contained code that could perform various malicious operations. Avast said it found code to:
- redirect user traffic to ads
- redirect user traffic to phishing sites
- collect personal information such as birth dates, email addresses and active devices
- collect browsing history
- download more malware on a user’s device
But despite the presence of code that powers all of the above malicious functions, Avast researchers said they believe the primary goal of this campaign was to hijack user traffic for monetary gain.
“For every redirect to a third-party domain, cyber criminals would receive payment,” the company said.
Avast said it discovered the extensions last month and found evidence that some were already active since at least December 2018, when some users first started reporting issues with being redirected to other sites.
Jan Rubín, Malware Researcher at Avast, said they could not determine if the extensions were created with malicious code from scratch or if the code was added via an update as each extension passed a level of popularity.
And many extensions became very popular, with tens of thousands of installations. Most of them did that by posing as add-ons intended to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo or Spotify.
Avast said it has reported its findings to both Google and Microsoft and that both companies are still investigating the extensions.
Google and Microsoft did not return a request for comment asking for additional information about the status of their investigation of the Avast report or whether the extensions would be removed.
Below is the list of Chrome extensions that Avast claims contain malicious code:
Below is the list of Edge extensions that Avast said contain malicious code:
Until Google or Microsoft decided what to do next, Avast advised users to uninstall and remove the extensions from their browser.