Recently Zimperium discovered and began monitoring the growth of a wide range of malicious browser extensions with the same extension ID as that of Google Translate, deceiving users into believing that they have installed a legitimate extension. Similar to app spoofing and cloning, these malicious applications look legitimate, but underneath the surface lies code that puts personal and enterprise data at risk. These malicious extensions can perform a wide variety of attacks based on the attacker’s purpose, as the malware includes a javascript injection method from the attacker’s controlled server.
This rising vector of attack is not limited to one specific browser. This family, codenamed ABCsoup, targets three popular browsers: Google Chrome, Opera, and Firefox. This Google Translate spoofing browser extensions are installed onto a victim’s machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores.
The extension’s main logic confirms that this family is an Adware campaign along with some script injection functionality which can be further abused for other malicious actions such as phishing, stealing credentials/cookies, etc.
