Another day, another batch of crappy Chrome extensions that you shouldn’t be using. Once again, Google has identified a number of bad actors its Chrome Web Store and given them the boot—but that doesn’t automatically remove these malware extensions from your browser, so you might want to do a quick cross-reference of any extensions that sound a little odd.
Cisco’s Duo Security team was responsible for the digging up these malicious extensions, but their investigations were first prompted by the work of security researcher Jamila Kaya. She used Cisco’s CRXcavator tool to find these crappy Chrome extensions, with many of them mimicking each other in terms of attack vectors and what they were trying to do to users (and users’ systems). As Duo describes:
“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms. While this research and CRXcavator’s analysis in general can help us understand a lot about the architecture and operation of such malicious extensions, the question of how the extensions got to be installed on any system is not one we have the data to answer at this time.”
According to Duo, around 1.7 million users had installed the 70 or so extensions that Kaya initially identified. From there, Google searched and removed a total of 500 or so related extensions that performed similar, sketchy activities. While we don’t have a list of those—if only!—you can at least check your Chrome browser for the following:
If you have any extensions installed that sound like any on this list, remove them—they’re malware. Going forward, make sure you’re doing more than just using reviews on the Chrome Web Store as the deciding factor for whether you should install an extension or not. Read around the web to see if others are using the extension, have recommended it, or have anything to say about it.
You can even throw extensions you’re considering into Cisco’s CRXcavator tool, if you want to get a quick sense of whether it’s risky or not. The tool might be a bit confusing for regular people, though, so common sense—including visiting an extension developer’s website, thinking about he permissions an extension wants, and trusting your gut—is probably going to be your best defense. Extensions are great, but you probably don’t need to pack your browser full of them.