More malicious extensions in Chrome Web Store

Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,229
Content source
https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/
Two weeks ago I wrote about the PDF Toolbox extension containing obfuscated malicious code. Despite reporting the issue to Google via two different channels, the extension remains online. It even gained a considerable number of users after I published my article.

A reader tipped me off however that the Zoom Plus extension also makes a request to serasearchtop[.]com. I checked it out and found two other versions of the same malicious code. And I found more extensions in Chrome Web Store which are using it.

So now we are at 18 malicious extensions with a combined user count of 55 million. The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively.
Click to expand...
So far I could identify the following 18 malicious extensions. All but two of them are listed as “Featured” in Chrome Web Store. User counts reflect the state for 2023-05-30.

NameWeekly active usersExtension ID
Autoskip for Youtube9,008,298lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
Crystal Ad block6,869,278lklmhefoneonjalpjcnhaidnodopinib
Brisk VPN5,595,420ciifcakemmcbbdpmljdohdmbodagmela
Clipboard Helper3,499,233meljmedplehjlnnaempfdoecookjenph
Maxi Refresher3,483,639lipmdblppejomolopniipdjlpfjcojob
Quick Translation2,797,773lmcboojgmmaafdmgacncdpjnpnnhpmei
Easyview Reader view2,786,137icnekagcncdgpdnpoecofjinkplbnocm
PDF toolbox2,782,790bahogceckgcanpcoabcdgmoidngedmfo
Zoom Plus2,370,645ajneghihjbebmnljfhlpdmjjpifeaokc
Base Image Downloader2,366,136nadenkhojomjfdcppbhhncbfakfjiabp
Clickish fun cursors2,353,436pbdpfhmbdldfoioggnphkiocpidecmbp
Maximum Color Changer for Youtube2,226,293kjeffohcijbnlkgoaibmdcfconakaajm
Readl Reader mode1,852,707dppnhoaonckcimpejpjodcdoenfjleme
Image download center1,493,741deebfeldnfhemlnidojiiidadkgnglpi
Font Customizer1,471,726gfbgiekofllpkpaoadjhbbfnljbcimoh
Easy Undo Closed Tabs1,460,691pbebadpeajadcmaoofljnnfgofehnpeo
OneCleaner1,457,548pinnfpbpjancnbidnnhpemakncopaega
Repeat button1,456,013iicpikopjmmincpjkckdngpkmlcchold
Note that this list is unlikely to be complete. It’s based on a sample of roughly a thousand extensions that I have locally, not all the Chrome Web Store contents.
Click to expand...
palant.info

More malicious extensions in Chrome Web Store

So far I discovered 18 malicious extensions with 55 million users in total. Most popular ones are: Autoskip for Youtube, Crystal Ad block and Brisk VPN. They have been active for two years, undetected by Google.
palant.info palant.info
 
  • Like
  • +Reputation
  • Applause
Reactions: Dave Russo, CyberTech, spaceoctopus and 20 others
Wladimir Palant

Wladimir Palant

Level 1
Oct 29, 2020
11
There has been an update to this article: 16 more malicious extensions with 32 million users in total. But just as I was publishing this update, I noticed that many of the extensions were already gone. Google removed even those that I only listed in the update – so they did their own searching, which is good. Right now, only nine of these extensions remain in Chrome Web Store.
 
  • Like
  • +Reputation
  • Applause
Reactions: Dave Russo, CyberTech, vtqhtr413 and 12 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,229
Unmasking malicious extensions: Avast detects new threats on the Chrome Web Store
Our investigation began when a respected figure in the cybersecurity community, Wladimir Palant, discovered malicious code in the PDF Toolbox extension. His findings, detailed on his blog, prompted us to delve deeper into the issue.

We found that 32 malicious extensions with a whopping 75 million combined installs were available on the Chrome Web Store. The extensions’ functionalities ranged from adblocks, downloaders, and browser themes to recorders and tab managers. Importantly, an additional 50 extensions have already been taken down.
Click to expand...
blog.avast.com

Unmasking malicious extensions: Avast detects new threats on the Chrome Web Store

Avast recently discovered a series of malicious browser extensions on the Chrome Web Store that are spreading adware and hijacked search results.
blog.avast.com blog.avast.com
 
  • Like
  • Thanks
  • +Reputation
Reactions: Brie, plat, Dave Russo and 7 others
MuzzMelbourne

MuzzMelbourne

Level 15
Verified
Top Poster
Well-known
Mar 13, 2022
599
No wonder Google is having trouble keeping up with policing its app store. Since Monday, researchers have reported that hundreds of Android apps and Chrome extensions with millions of installs from the company’s official marketplaces have included functions for snooping on user files, manipulating the contents of clipboards, and injecting deliberately unknown code into webpages.

Google has removed many but not all of the malicious entries, the researchers said, but only after they were reported, and by then, they were on millions of devices—and possibly hundreds of millions. The researchers aren’t pleased.
Click to expand...
arstechnica.com

Google’s Android and Chrome extensions are a very sad place. Here’s why

It was a bad week for millions of people who rely on Google for apps and Chrome extensions.
arstechnica.com arstechnica.com
 
  • Like
  • Wow
  • Thanks
Reactions: plat, Dave Russo, spaceoctopus and 7 others
C

cofer123

Level 3
Sep 7, 2021
134
Another reason why I still use Firefox. While the Firefox add-ons page is not perfect and malware sometimes finds its way there, Mozilla at least has a Recommended Extensions program that curates extensions, following a manual review process before publication. Most of the actually important/useful extensions for Firefox follow this approach, since not only this gives these extensions more visibility, but you also get added security that way.

But I guess a trillion-dollar company like Google simply lacks the resources to enforce some degree of control on their ecosystems.
 
  • Like
  • HaHa
  • Thanks
Reactions: plat, CyberTech, spaceoctopus and 7 others
Captain Holly

Captain Holly

Level 6
Verified
Well-known
Jan 23, 2021
251
This is very interesting. I try to keep extensions to a bare minimum, no matter what browser I use. In Firefox I only use one extension that does not have the "Recommended By Firefox" designation. That extension is the Malwarebytes Browser Guard. I use Dark Reader, Adblocker Ultimate, MB Browser Guard and Webmail Ad Blocker in FF and Chrome. I have these same common extensions in Edge too but I hardly ever use Edge. This all makes me wonder if an extension is safe in Firefox and recommended by Firefox, is the same extension also considered safe in Chrome? Or any of the other Chromium based browsers that also use Google extensions? I really wonder if I should just use Firefox 100% of the time now, no matter what. Inquiring minds want to know...

C.H.
 
  • Like
Reactions: Dave Russo, oldschool, [correlate] and 3 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,229
How malicious extensions hide running arbitrary code
Two days ago I wrote about the malicious extensions I discovered in Chrome Web Store. At some point this article got noticed by Avast. Once their team confirmed my findings, Google finally reacted and started removing these extensions. Out of the 34 extensions I reported, only 8 extensions remain. These eight were all part of an update where I added 16 extensions to my list, an update that came too late for Avast to notice.

Note: Even for the removed extensions, it isn’t “mission accomplished” yet. Yes, the extensions can no longer be installed. However, the existing installations remain. From what I can tell, Google didn’t blocklist these extensions yet.

Avast ran their own search, and they found a bunch of extensions that I didn’t see. So how come they missed eight extensions? The reason seems to be: these are considerably different. They migrated to Manifest V3, so they had to find new ways of running arbitrary code that wouldn’t attract unnecessary attention.

Update (2023-06-03): These extensions have been removed from the Chrome Web Store as well.
Click to expand...
palant.info

How malicious extensions hide running arbitrary code

Eight malicious extensions still remain in Chrome Web Store. These use some interesting tricks to keep running arbitrary code despite restrictions of Manifest V3.
palant.info palant.info
 
  • Like
  • +Reputation
  • Thanks
Reactions: Dave Russo, oldschool, Zero Knowledge and 3 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,229
Malicious extensions in the Chrome Web Store
It all began when cybersecurity researcher Vladimir Palant found an extension called PDF Toolbox containing suspicious code in the Chrome Web Store. At first glance, it was a perfectly respectable plugin for converting Office documents and performing other simple operations with PDF files.
Click to expand...
After Palant’s study was published, as well as another paper on the same topic by a team of experts, Google finally removed the dangerous extensions. But it took the authority of several well-known specialists for it to happen. Incidentally, it’s the same story with Google Play — there, too, ordinary users’ complaints generally go unheeded.
Click to expand...
www.kaspersky.com

Malicious extensions in the Chrome Web Store

A few dozen malicious extensions — with a combined 87 million downloads — discovered in Google’s Chrome Web Store.
www.kaspersky.com www.kaspersky.com
 
  • Like
  • Thanks
  • +Reputation
Reactions: silversurfer, brambedkar59, Zero Knowledge and 4 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Almost Secure Blog: The Karma connection in Chrome Web Store
Replies
0
Views
139
Web Extensions
Gandalf_The_Grey
Gandalf_The_Grey
enaph
    • Like
    • Sad
    • Wow
Security News Popular Chrome Extension to Hide YouTube Shorts Turned Malicious
Replies
4
Views
556
Security News
lokamoka820
lokamoka820
enaph
    • Like
Security News Opera Browser Vulnerable to Cross-Browser Attacks via Malicious Extensions
Replies
0
Views
601
Security News
enaph
enaph

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top