Malicious browser extensions impacting at least 3.2 million users

[nicolaasjan]

Content source

https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/

Key Points​

• We identified a cluster of at least 16 malicious Chrome extensions used to inject code into browsers to facilitate advertising and search engine optimization fraud. The extensions span diverse functionality including screen capture, ad blocking and emoji keyboards and impact at least 3.2 million users.
• We assess that the threat actor acquired access to at least some of the extensions from their original developers, rather than through a compromise. The threat actor has been trojanizing extensions since at least July 2024.
• The threat actor uses a complex multistage attack to degrade the security of users’ browsers and then inject content, traversing browser security boundaries and hiding malicious code outside of extensions. We have only been able to partly reproduce the threat actor’s attack chain.
• The threat actor may also be associated with phishing kit development or distribution. The malicious extensions present a risk of sensitive information leakage or initial access.

 

[Jonny Quest]

And just for quick reference here is the list of the 16 from the article, which has more information included.

Blipshot: one click full page screenshots
Emojis - Emoji Keyboard
WAToolkit
Color Changer for YouTube
Video Effects for YouTube And Audio Enhancer
Themes for Chrome and YouTube™ Picture in Picture
Mike Adblock für Chrome | Chrome-Werbeblocker
Page Refresh
Wistia Video Downloader
Super dark mode
Emoji keyboard emojis for chrome
Adblocker for Chrome - NoAds
Adblock for You
Adblock for Chrome
Nimble capture
KProxy

 

[oldschool]

And just for quick reference here is the list of the 16 from the article, which has more information included.

And all of them updated not long ago, i.e. not abandonware.

 

[Vitali Ortzi]

And all of them updated not long ago, i.e. not abandonware.

The vetting process of google doesn't do much against malicious extensions to this day and it's insane

 

[oldschool]

The vetting process of google doesn't do much against malicious extensions to this day and it's insane

So much for the vaunted MV3.

 

[Vitali Ortzi]

So much for the vaunted MV3.

MV3 doesn't help against an insider uploading malicious extensions but it does protect extensions from external threats and reduces attack surface a lot

 

[oldschool]

MV3 doesn't help against an insider uploading malicious extensions

Obviously, but if they can't police their own store any security gains from MV3 are ephemeral, and beside the point.

 

[Vitali Ortzi]

Obviously, but if they can't police their own store any security gains from MV3 are ephemeral, and beside the point.

Well no idea why they don't police their store I do believe they should take responsibility of the store just like apple does