Malicious extensions in the news again? No way! Well, yes, unfortunately, but you’re probably not at all surprised and you’re certainly not at all happy about it. In February, Google removed over 500 malicious extensions from the Chrome Web Store which were injection ads into millions of Chrome browsing sessions. Back in June, Awake Security reported another 100 from 15,160 domains. Now, according to Avast after first being found by CZ.NIC, there exist 15 more that users should uninstall this very moment!
Based on their recent findings, a total of 28 extensions (15 in Chrome and 13 in Edge) that are mostly geared toward Facebook and Instagram use cases are instead redirecting user traffic to ads and phishing sites and collecting their personal data such as their birth dates, email addresses, and active devices. Not only that, but they’re also collecting browsing data and they have the ability to directly download malware onto a user’s device (but Chromebooks can’t get malware)!
Avast researchers said they believe the extension developers ran the campaign to hijack user traffic for monetary gains stating that “For every redirection to a third-party domain, the cybercriminals would receive a payment.”
“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware,” Avast researcher Jan Rubin says. “It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards.”Avast Blog
Apparently, Avast’s Threat Intelligence team started monitoring this threat back in November, but they believe it could have been active for years as reflected in some of the extensions’ reviews. The craziest part is that most of these extensions can still be downloaded and since Avast made Google aware of the issue, only a few of them have been removed from the Web Store, though it’s said that they are currently investigating each.
This is not okay. Extensions have long since been the weak link in the Chrome browser’s armor – it’s only real security vulnerability. To be fair, it’s difficult, even near impossible to control the experience where there is so much input and influence from third-parties and the Chrome Web Store basically feels like the wild west. Google is doing a ton of work to change that though, including the creation of a “seal of approval” of sorts for extensions that help mitigate privacy issues, which will be rolling out early this next year, and even by giving you direct control over what data an extension has access to and on which websites.
There is no doubt that these issues may persist long after the new year, and there is certainly much work to be done, so we’ll have to see what other creative solutions Google can come up with to wrangle extensions into submission. I would vote that we simply get rid of them entirely to solve the problem, but many extensions like Honey, Toby, Stadia Enhanced, Cog, uBlock Origin and more do some real good for Chrome users and deserve to exist. This means that instead, Google will need to take a more cautious approach to the situation and separate the sheep from the goats, so to speak, and that will take time.
Let me state here and now that if you have any of the following extensions installed on your computer, remove them right this instant! Do not under any circumstance install the extensions below – we are linking them only so that you can verify their identity in full. You can view your extensions by typing
chrome://extensions into your URL bar or Omnibox above.
- Direct Message for Instagram
- DM for Instagram
- Invisible mode for Instagram Direct Message
- Downloader for Instagram
- App Phone for Instagram
- Stories for Instagram
- Universal Video Downloader
- Video Downloader for FaceBook™
- Vimeo™ Video Downloader
- Zoomer for Instagram and FaceBook
- VK UnBlock. Works fast.
- Odnoklassniki UnBlock. Works quickly.
- Upload photo to Instagram™
- Spotify Music Downloader
- The New York Times News