Security

How Malicious Chrome Extensions Spy on Businesses

Simon Batt 17-07-2020

The Chrome Web Store doesn’t have a perfect defense, and malware developers exploit these weaknesses for nefarious purposes. The threat of malicious extensions, however, is growing to become a major threat to businesses and organizations around the world.

Advertisement

Let’s explore how one bad Chrome extension can cause huge problems for a business.

Isn’t the Chrome Web Store Safe From Viruses?

The Chrome Web Store is one of the safer places to install extensions to Google Chrome, but it’s by no means impervious.

Google does its best to stop malware from infecting users; for example, they only allow extensions to be installed either from the Web Store or under strict conditions. They then monitor the Chrome Web Store for any suspicious activity.

However, they can’t catch every bad extension that gets uploaded, and some do sneak through. As such, nothing on the Google Web store is 100 percent safe, but it’s a great deal safer than downloading random files from the internet.

How a Single Chrome Extension Can Endanger a Company

At the moment, the majority of Chrome extension malware only targets one PC. It may install a keylogger or track your browser usage, but the effects are all localized on the PC you’re using.

Advertisement

However, a new trend of Chrome extension malware seeks to change that. Instead of delivering just a payload, these new strains will establish a foothold on the victim’s computer.

From that foothold, a hacker can prod further into an organization’s network. If they can successfully get around the network’s defenses, the hacker can spy on other PCs and file systems on the network.

As such, this is an evolution of rogue Chrome extensions that the cybersecurity world hasn’t seen yet. Now, one person in a larger network can endanger everyone else simply by downloading a bad extension.

Chrome Extension Malware Examples in the Real World

While this may seem scary, it doesn’t mean much if it can’t happen in the real world. So, what proof do we have that this attack vector is feasible?

Advertisement

Evidence of this development comes from ThreatPost, which keeps tabs on security threats around the internet. In their report, they discuss how they located 106 malicious extensions and told Google to remove them.

Malicious Chrome extension removals aren’t anything new; the worrisome part was how the malware acted. Not only did it steal data from the victim’s computer, but it also created a backdoor through which a hacker could enter a victim’s network.

How Did the Malware Work?

Google’s security check is the biggest hurdle for extension malware. If Google detects it, it may tip them off to a new wave of malware; however, if it makes it through, the malware has a high chance of being distributed far and wide. Users tend to trust Chrome Web Store apps, so a malware developer can ensure a high download rate if they succeed.

This particular strain of malware redirects victims to a website to download an infected file. However, if it linked to the website directly, Google would sniff it out without a problem.

Advertisement

The malware developers evaded this by making a “morphing website.” When a computer made a connection to the website, the website would check to see where it came from.

If it wasn’t from a company or consumer ISP, it was likely a non-human system visiting to check if it’s secure—like Google, for instance. The website, in return, would display an innocent landing page to trick the virus checker into thinking the website was safe.

If the visitor was from a company or consumer ISP, however, the visitor is human. The website responds by redirecting the user to the “real” website, which displays the malicious link.

As such, when the developers uploaded the malware to the Chrome Web Store, its virus checker spots the fake landing page and marks the app as safe. Then, when the users downloaded it, they saw the real website with the malware payload.

Advertisement

How Far Did the Malware Spread?

Unfortunately, this method was so effective at evading detection that 106 Chrome extensions sneaked past the virus checkers. Collectively, the apps had 32 million downloads—a worrying display of how far these payloads spread.

The malware masqueraded as apps that spot malicious websites or convert file types. These are both highly-sought extensions that people download without a second thought, which made it the perfect cover for the payload.

As such, the malware ended up establishing a foothold in 100 different businesses and organizations. This included financial, healthcare, and even governmental organizations, meaning that hackers had a foothold in a wide range of industries.

Because the codebase for each of the apps was very similar, researchers believed one group uploaded all the extensions. They believed that the malware was part of a global surveillance attempt to get a foothold on businesses around the world.

Did You Download the Malware?

If you suspect that you downloaded an infected extension recently, there’s a way to check. First, open up your extensions page by typing chrome://extensions/ into your address bar. Find the extension you suspect may be malicious and note the ID listed underneath it.

Showing the location of extension IDs in Chrome

Then, compare the ID to the list of malicious Chrome extensions. Because extension IDs are a giant mess of letters, it’s best to press CTRL+F and paste your suspected ID into the box. This will then search the list and notify you if it finds a match.

How to Secure Yourself Against These Attacks

This attack is an early warning sign for the future of extension malware. As office tools from Google Docs to Zoom let us work from our browsers, we’re more likely to find extensions that help us work. As such, malware developers are moving to the extension space and creating viruses that claim to help in these areas.

Usually, looking at the download count would be a dead giveaway. Apps with very few downloads and suspicious 5-star reviews would tip you off to a malicious extension. However, as we saw above, download numbers are no longer reliable; after all, 32 million people downloaded this malware!

However, what you can do is only install apps that people trust, or have been around for a long time. When an extension has been around for years and receives a lot of recommendations and positive reviews, you can be certain that it doesn’t have malicious intent.

For example, all our recommendations for Chrome extensions that improve your browsing experience 7 Chrome Extensions to Vastly Improve Your Browsing Experience Try these extensions for an improved Google Chrome experience. They fill in some gaps in the user experience. Read More are the real deal—no malware to worry about.

Keeping Your Chrome Extensions Clean

It’s easy to assume every extension on the Chrome Web Store is safe, but the truth is anything but. If you need an extension, try to rely on the old favorites; that way, you ensure there’s no malware hidden within.

If you want to ensure all your extensions are behaving, be sure to remove these shady Chrome extensions 5 Shady Google Chrome Extensions You Should Uninstall ASAP Here are some bad Chrome extensions that you should uninstall, plus some tips for avoiding malicious extensions in the future. Read More .

Related topics: Browser Extensions, Google Chrome, Malware.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. awakening_crowds_salute
    July 21, 2020 at 11:22 pm

    Isn't that responsibility of Google to protect users' privacy / security by their tech?
    Even didn't someone notice that there is no any "Privacy" category on Google's Chrome Store ? Yes there is no any "Privacy" category on Google Chrome Store. All privacy extensions listed under "Productivity" category. Check it out by your eyes. A privacy extension doesn't do anything with productivity in my dictionary !!!
    And ask yourself " - Why they change even a word's etymological meaning instead of proper use?". Probably they hate the word "Privacy"..

  2. dragonmouth
    July 17, 2020 at 12:59 pm

    Another serious reason not to use Chrome.

    With Google's history of spying on users, how do we know that the sketchy extensions are not planted in the Chrome App Store by Google?