Google has reportedly pulled over 500 malicious Chrome extensions from its Web Store, with some active on the site for over a year. The extensions used the computers of millions of people to commit ad fraud and steal data.
A recent report by Naked Security from Sophos reveals that tech giant Google has pulled over 500 Chrome extensions from its Web Store after researchers discovered that many were stealing browser data and executing click fraud on the computers of millions of users.
Although Google claims to protect its users from fraud and malicious apps, the report makes the startling assertion that many of the illicit apps were made available by Google for up to a year, with some made available to Chrome users for even longer.
Security researcher Jamila Kaya used Duo Security’s CRXcavator tool to spot a handful of extensions that were suspicious. Kaya then connected the extensions to each other in order to identify recurring patterns that could highlight other infected extensions.
Naked Security writes:
The first giveaway was that the extension code often looked like copycats of one another despite small changes to the names of internal functions designed to obscure this.
Another troubling similarity was the number of permissions requested. Enough to allow them to access browsing data and run when visiting websites using HTTPS.
Working with Duo Security, they eventually identified 70 extensions that seemed to be related to one another. All also contacted similar command and control networks and seemed to have been designed to detect and counteract sandbox analysis.
Ad fraud was the biggest activity – contacting domains without the user being aware – as well as redirecting users to malware and phishing domains.
Naked Security notes that many of the extensions had been active for nearly a year with some possibly being around for longer. Google carried out its own investigation and found that over 500 extensions were infected.
Naked Security suggests that users take the following actions to prevent their browsers from becoming infected.
- Install as few extensions as possible and, despite the above, only from official web stores.
- Check the reviews and feedback from others who have installed the extension.
- Pay attention to the developer’s reputation and how responsive they are to questions and how frequently they post version updates.
- Study the permissions they ask for (in Chrome, Settings> Extensions> Details) and check they’re in line with the features of the extension. And if these permissions change, be suspicious.
Read the full report at Naked Security here.