More malicious extensions in Chrome Web Store

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,556
Two weeks ago I wrote about the PDF Toolbox extension containing obfuscated malicious code. Despite reporting the issue to Google via two different channels, the extension remains online. It even gained a considerable number of users after I published my article.

A reader tipped me off however that the Zoom Plus extension also makes a request to serasearchtop[.]com. I checked it out and found two other versions of the same malicious code. And I found more extensions in Chrome Web Store which are using it.

So now we are at 18 malicious extensions with a combined user count of 55 million. The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively.
So far I could identify the following 18 malicious extensions. All but two of them are listed as “Featured” in Chrome Web Store. User counts reflect the state for 2023-05-30.

NameWeekly active usersExtension ID
Autoskip for Youtube9,008,298lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
Crystal Ad block6,869,278lklmhefoneonjalpjcnhaidnodopinib
Brisk VPN5,595,420ciifcakemmcbbdpmljdohdmbodagmela
Clipboard Helper3,499,233meljmedplehjlnnaempfdoecookjenph
Maxi Refresher3,483,639lipmdblppejomolopniipdjlpfjcojob
Quick Translation2,797,773lmcboojgmmaafdmgacncdpjnpnnhpmei
Easyview Reader view2,786,137icnekagcncdgpdnpoecofjinkplbnocm
PDF toolbox2,782,790bahogceckgcanpcoabcdgmoidngedmfo
Zoom Plus2,370,645ajneghihjbebmnljfhlpdmjjpifeaokc
Base Image Downloader2,366,136nadenkhojomjfdcppbhhncbfakfjiabp
Clickish fun cursors2,353,436pbdpfhmbdldfoioggnphkiocpidecmbp
Maximum Color Changer for Youtube2,226,293kjeffohcijbnlkgoaibmdcfconakaajm
Readl Reader mode1,852,707dppnhoaonckcimpejpjodcdoenfjleme
Image download center1,493,741deebfeldnfhemlnidojiiidadkgnglpi
Font Customizer1,471,726gfbgiekofllpkpaoadjhbbfnljbcimoh
Easy Undo Closed Tabs1,460,691pbebadpeajadcmaoofljnnfgofehnpeo
OneCleaner1,457,548pinnfpbpjancnbidnnhpemakncopaega
Repeat button1,456,013iicpikopjmmincpjkckdngpkmlcchold
Note that this list is unlikely to be complete. It’s based on a sample of roughly a thousand extensions that I have locally, not all the Chrome Web Store contents.
 

Wladimir Palant

Level 1
Oct 29, 2020
11
There has been an update to this article: 16 more malicious extensions with 32 million users in total. But just as I was publishing this update, I noticed that many of the extensions were already gone. Google removed even those that I only listed in the update – so they did their own searching, which is good. Right now, only nine of these extensions remain in Chrome Web Store.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,556
Unmasking malicious extensions: Avast detects new threats on the Chrome Web Store
Our investigation began when a respected figure in the cybersecurity community, Wladimir Palant, discovered malicious code in the PDF Toolbox extension. His findings, detailed on his blog, prompted us to delve deeper into the issue.

We found that 32 malicious extensions with a whopping 75 million combined installs were available on the Chrome Web Store. The extensions’ functionalities ranged from adblocks, downloaders, and browser themes to recorders and tab managers. Importantly, an additional 50 extensions have already been taken down.
 

MuzzMelbourne

Level 15
Verified
Top Poster
Well-known
Mar 13, 2022
599
No wonder Google is having trouble keeping up with policing its app store. Since Monday, researchers have reported that hundreds of Android apps and Chrome extensions with millions of installs from the company’s official marketplaces have included functions for snooping on user files, manipulating the contents of clipboards, and injecting deliberately unknown code into webpages.

Google has removed many but not all of the malicious entries, the researchers said, but only after they were reported, and by then, they were on millions of devices—and possibly hundreds of millions. The researchers aren’t pleased.
 

cofer123

Level 2
Sep 7, 2021
98
Another reason why I still use Firefox. While the Firefox add-ons page is not perfect and malware sometimes finds its way there, Mozilla at least has a Recommended Extensions program that curates extensions, following a manual review process before publication. Most of the actually important/useful extensions for Firefox follow this approach, since not only this gives these extensions more visibility, but you also get added security that way.

But I guess a trillion-dollar company like Google simply lacks the resources to enforce some degree of control on their ecosystems.
 

Captain Holly

Level 5
Verified
Well-known
Jan 23, 2021
233
This is very interesting. I try to keep extensions to a bare minimum, no matter what browser I use. In Firefox I only use one extension that does not have the "Recommended By Firefox" designation. That extension is the Malwarebytes Browser Guard. I use Dark Reader, Adblocker Ultimate, MB Browser Guard and Webmail Ad Blocker in FF and Chrome. I have these same common extensions in Edge too but I hardly ever use Edge. This all makes me wonder if an extension is safe in Firefox and recommended by Firefox, is the same extension also considered safe in Chrome? Or any of the other Chromium based browsers that also use Google extensions? I really wonder if I should just use Firefox 100% of the time now, no matter what. Inquiring minds want to know...

C.H.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,556
How malicious extensions hide running arbitrary code
Two days ago I wrote about the malicious extensions I discovered in Chrome Web Store. At some point this article got noticed by Avast. Once their team confirmed my findings, Google finally reacted and started removing these extensions. Out of the 34 extensions I reported, only 8 extensions remain. These eight were all part of an update where I added 16 extensions to my list, an update that came too late for Avast to notice.

Note: Even for the removed extensions, it isn’t “mission accomplished” yet. Yes, the extensions can no longer be installed. However, the existing installations remain. From what I can tell, Google didn’t blocklist these extensions yet.

Avast ran their own search, and they found a bunch of extensions that I didn’t see. So how come they missed eight extensions? The reason seems to be: these are considerably different. They migrated to Manifest V3, so they had to find new ways of running arbitrary code that wouldn’t attract unnecessary attention.

Update
(2023-06-03): These extensions have been removed from the Chrome Web Store as well.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,556
Malicious extensions in the Chrome Web Store
It all began when cybersecurity researcher Vladimir Palant found an extension called PDF Toolbox containing suspicious code in the Chrome Web Store. At first glance, it was a perfectly respectable plugin for converting Office documents and performing other simple operations with PDF files.
After Palant’s study was published, as well as another paper on the same topic by a team of experts, Google finally removed the dangerous extensions. But it took the authority of several well-known specialists for it to happen. Incidentally, it’s the same story with Google Play — there, too, ordinary users’ complaints generally go unheeded.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top