Once again, cybercriminals have stealthily preyed on millions of Google users. Reportedly, Google removed numerous malicious Chrome extensions after researchers found them stealing users’ data.
Malicious Google Chrome Extensions
Researchers from the Awake Security Threat Research Team have published a detailed report highlighting their recent findings. As revealed, they found more than a hundred malicious Google Chrome extensions stealing users’ data.
Summarizing their findings in a blog post, Awake stated that they found 111 different Chrome extensions with suspicious or malicious activity. These extensions together boasted over 33 million downloads, hinting the number of users potentially affected by this incident.
In brief, these malicious extensions impersonated fake add-ons belonging to different domains. Once installed, the extensions kept on stealthily spying on users and stealing their data through various methods. As stated by the researchers,
These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.
What made them persist for long is the range of evasion techniques that the extensions employed to ditch security solutions. Consequently, the threat actors managed to establish a ‘persistent foothold’ on almost all networks.
Besides existing on the Chrome Store, many of these extensions also reached end-users’ devices via other means.
Investigating the matter further made the researchers identify the threat actors behind this campaign, the Israel-based domain registrar GalComm.
Briefly, these registrar registered thousands of domains, including 15,160 malicious domains. This makes about 60% of all GalComm registered Domains as malicious.
They then used these domains to distribute malicious extensions among the users. Researchers have shared the complete list of IDs of all these Chrome add-ons.
Google Removed 106 Extensions
Upon discovering the range of malicious domains, the researchers reached out to Google to inform them of the matter.
Following their report, Google removed about 106 of these extensions from the Chrome Store. Quoting a statement from Google spokesperson Scott Westover, Threatpost stated,
When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.
Like always, users should remain very careful before downloading or installing any browser add-on or app from untrusted sources.
Let us know your thoughts in the comments.