70+ Spyware Chrome Extensions with 32 Million downloads, avoids detection

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
The Security Defenses that Failed
These campaigns have been ongoing for years while customers have deployed best in class security solutions. The research shows how attackers attempted to evade detection, but the TTPs, in this case, appears to have hit a blind spot in many traditional approaches to security—e.g. reputation engines, sandboxes and endpoint detection and response solutions.
In-depth by Awake Security

1592495676857.png


This Chrome spyware campaign was massive
  • A third-party security team discovered a ring of Chrome spyware extensions all working together
  • The extensions were apparently downloaded over 32 million times, affecting millions of Chrome browsers
  • This news once again illuminates how weak Google’s oversight of Chrome extensions really is
These Chrome spyware extensions were usually disguised as tools that would, ironically, protect users from malicious sites. Some were also legitimate tools that would convert files from one format to another. However, while running, all the extensions could secretly siphon data from the user’s internet activity.

According to Awake Security, the information collected by these Chrome spyware applications bounced around a criminal network of over 15,000 domains. Almost all of those domains were purchased from just one registrar called Galcomm, based in Israel.

When contacted by Reuters, Galcomm denied any involvement with the criminal ring of apps. However, Awake Security contacted Galcomm multiple times during its investigation, with Galcomm never responding. Reuters also tried to give Galcomm a list of the domains used to transmit the stolen data a whopping three times, with Galcomm never giving a substantial response to any of the messages.
Via


Not just Chrome, but Chromium-based browsers that use Chrome Web Store.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459

Protomartyr

Level 7
Sep 23, 2019
314
Check the first link, or @upnorth post.
They list only the Chrome extension IDs (unless I missed them listing the names of the extensions in the article). Since a lot of these extensions have already been removed from the Chrome Web Store there's no way to check.

The Chrome Web Store URL has the following format:
https://chrome.google.com/webstore/detail/<extension name>/<extension ID>

Omitting the extension name and just using the ID also works:
https://chrome.google.com/webstore/detail/<extension ID>

I posed my question more to make the point that this data wasn't easily accessible. How are users supposed to know if they had these extensions installed previously? Inputting a lot of these extension IDs following the above URL format returns a 404 error. Probably because they have already been removed from the Web Store.

I'm not sure if Chrome auto-removes already installed extensions that have been later removed from the Web Store.

Does this mean users may still be at risk?
 
  • Like
Reactions: CyberTech

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
@Protomartyr

To date, there have been at least 32,962,951 downloads of these malicious extensions—and this only accounts for the extensions that were live in the Chrome Web Store as of May 2020. For context, very few extensions have been downloaded more than 10 million times. A TSV list of IDs for these malicious Chrome extensions can be found here. A second TSV list including the IDs and names of just those extensions that were in the Chrome Web Store is available here. Awake has since worked with Google to take down these extensions from the Chrome Web Store.

edit: text mess up you can copy all of them into WordPad
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Code:
https://awakesecurity.com/wp-content/uploads/2020/06/GalComm-Malicious-Chrome-Extensions-A*ppendix-B.txt
https://awakesecurity.com/wp-content/uploads/2020/06/GalComm-Malicious-Chrome-Extensions-in-store-extensions.txt
name_slug, securify-for-chrome, browse-safer, search-manager, doctopdf, easyconvertdefault-search, easyconvert, bytefence-secure-browsing, browsing-protector, secure-web-searching, easyconvert, viewpdf, viewpdf, quickmail, search-manager, search-manager, bytefence-secure-browsing, search-manager, secured-search-extension, search-manager, thedocpdfconverter, search-manager, search-manager, viewpdf, search-manager, viewpdf, viewpdf, gofiletopdf, doctopdf, doctopdf, doctopdf, viewpdf, bytefence-secure-browsing, search-manager, browsing-safety-checker, viewpdf, search-manager, pdf-opener, search-manager, viewpdf, easyconvert, securify-for-chrome, doctopdf, search-manager, pdf-opener, search-manager, doctopdf, search-manager, pdf-opener, thedocpdfconverter, doctopdf, pdf-opener, search-manager, ttab, mydocstopdf, doctopdf, thedocpdfconverter, easyconvert, pdf-opener, theeasywaypro, viewpdf, viewpdf, viewpdf, viewpdf, search-manager, search-by-convertfilenow, quicklogin, pdf-opener, easyconvert, easyconvert, mydocstopdf, doctopdf, easyconvert, mydocstopdf, pdf-ninja-converter, pdf2doc, thesecuredweb-protected-b, easyconvert, search-by-convertpdfpro, convertwordtopdf
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top