Up to 3 million devices infected by Chrome and Edge add-ons with malware

Close up of the address bar on internet browser

As many as 3 million people have been infected with Chrome and Edge browser extensions that steal personal information and redirect users to ad or phishing sites, a security company said Wednesday.

In total, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download images, videos or other content from sites such as Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, malicious extensions remained available for download from Google and Microsoft.

Avast researchers found malicious code in the JavaScript-based extensions that allow them to download malware to an infected computer. In a post, the researchers wrote:

Users have also reported that these extensions manipulate their internet experience and redirect them to other websites. Each time a user clicks a link, the extensions send information about the click to the attacker’s monitoring server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting to the actual website they are using. wanted to visit. The user’s privacy is compromised by this procedure as a log of all clicks is sent to these intermediate third-party websites. The actors also exfiltrate and collect the user’s birth dates, email addresses and device information, including time for first login, last time for login, device name, operating system, browser used and its version, even IP addresses (which can be used to find the user’s estimated geographic location history).

The researchers don’t yet know if the extensions came with the pre-installed malicious code or if the developers waited for the extensions to reach a critical mass of users and then pushed a malicious update. It is also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously.

A recurring problem

In recent years, third-party add-ons have become a common means of infecting people with malware and adware. Last year, a researcher discovered Chrome and Firefox extensions that collected and published the browsing history of an estimated 4 million people.

The data revealed proprietary information from some of the biggest names in technology, including Tesla, Trend Micro, Symantec and Blue Origin. Individuals’ tax returns, doctor’s appointment schedules and other personal information also came to light.

In at least one extension tampering case, malicious code was inserted into extensions after attackers gained access to legitimate developers’ accounts. In other cases, the extensions were published by developers who managed to bypass control processes used by browser makers in an attempt to block offensive or malicious add-ons.

Google and Microsoft did not immediately respond to an email asking if the companies intended to remove the extensions reported by Avast.

The apps reported by Avast are:

  • Direct message for Instagram
  • Direct message for Instagram
  • DM for Instagram
  • Invisible mode for Instagram Direct Message
  • Downloader for Instagram
  • Instagram Download video and image
  • App phone for Instagram
  • App phone for Instagram
  • Stories for Instagram
  • Universal video downloader
  • Universal video downloader
  • Video Downloader for FaceBook
  • Video Downloader for FaceBook
  • Vimeo Video Downloader
  • Vimeo Video Downloader
  • Volume control
  • Zoomer for Instagram and FaceBook
  • Unlock VK. Works fast.
  • Unlock Odnoklassniki. Works fast.
  • Upload photo to Instagram
  • Spotify Music Downloader
  • Stories for Instagram
  • Upload photo to Instagram
  • Pretty Kitty, The Cat Pet
  • Video Downloader for YouTube
  • SoundCloud music downloader
  • The New York Times News
  • Instagram app with direct message DM

The list that Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should immediately remove it and run a virus scan.

Source