Google recently removed over 500 Chrome extensions that had been found to be stealing private data in response to a report from a researcher who had found the different browser pug-ins had aided both fraud and data theft.
infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store. The Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms
It’s fairly common knowledge that Google have been on the back foot for the last year or two as they’ve tried to change the way Chrome extensions work due to the API’s currently available being so open to abuse.
Their next update, known as Manifest v3, will be much more security focussed but the problem is, whilst it’s still in development Chrome extensions are still being written and released under the much less secure Manifest v2, with the Chrome Web Store being understaffed and struggling to deal with the issues v2 cause.
Jamila Kaya found several extensions last year that were offering Advertising as a Service such as MapsTrek Promotions, FreeWeatherApp Promos and Coupon Rockstar Offers, that were part of a much larger network of browser plugins sharing similar code.
In total she found about seventy of these similar extensions before turning her findings over to Google to remove them.
Using that data Google then created a ‘code fingerprint’ and found over 500 more spammy/dangerous extensions which were also removed,
It’s thought about 1.7m Chrome users had these extensions installed before they were removed.
Kaya stated these extensions seem to have been created to operate ‘under the radar’ by generating ad revenue through the technique of redirecting the probably unaware victims browser to a series of malicious host sites (almost all of which were hosted on Amazon Web Service or AWS)that would then serve a variety of ads both legitimate and malicious.
We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses. We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.
Worried about your cyber security? Speak to cloudThing's digital security experts to see how we can help secure your business