On June 2, the cybersecurity firm Avast found 32 malicious extensions on the Chrome Web Store, which has combined 75 million downloads. It is estimated that around millions are affected worldwide. These extensions infect users with ads on web pages and manipulate search results.
The investigation by the cybersecurity firm began when the researcher Wladimir Palant reported a malicious code in the PDF Toolbox extension on May 16. This extension has around 2 million users with an average rating of 4.2 in the Chrome Web Store. Most of these extensions have various functionalities ranging from adblockers, downloaders, and browser themes to recorders and tab managers.
Though, Plant identified 34 malicious extensions, most of which are listed as ‘featured’ such as Autoskip for Youtube (9 million), Soundboost (6.9 million), Crystal Ad block (6.8 million), Brisk VPN (5.6 million), Clipboard Helper (3.5 million), and Maxi Refresher (3.5 million) etc. But he says the list still needs to be completed and needs a thorough search.
The researcher found the code remains hidden as an API wrapper. He explained that the code allows “serasearchtop[.]com” domain to inject arbitrary JavaScript code into any website visited by the user. He found that websites are injected with “arbitrary JavaScript code” for monetisation purposes which is against the Chrome Web Store policies. He also saw after installing the extension; the code takes 24 hours to activate.
Avast warns, “The trickiest part about malicious browser extensions is the nature of the tools – the extensions themselves are designed to provide legitimate functionality, which makes them appear harmless at first glance. However, hidden within their code lies obfuscated code of malicious origin. The final payload appears to be an adware that spams people with unwanted ads and a search result hijacker that alters search experiences by displaying sponsored links, paid search results, and potentially malicious links”.
The cybersecurity firm cautions people about the malicious extension, “This example is a reminder that individuals must use caution when installing extensions – even those available on official platforms like the Chrome Web Store. A rule of thumb: Always check the developer’s reputation and read reviews before installing an extension. Also, be wary of extensions that request excessive permissions or seem to have unrelated functionalities”.
Google has taken cognisance of the threat and removed many malicious extensions. But according to Plant, out of 34 reported extensions, only eight extensions are left to be removed by Google. These extensions are Soundboost, Amazing Dark Mode, Awesome Auto Refresh, Volume Frenzy, Leap Video Downloader, Qspeed Video Speed Controller, HyperVolume, Light picture-in-picture.
The infamous CryptBot malware, which Google says has stolen data from tens of thousands of Chrome browser users over the course of the past year, has also been blocked by the search engine giant.
CryptBot is a particular kind of malware known as a “infostealer” since it is designed to locate and steal sensitive information from victims’ computers, including login details of social media accounts, cryptocurrency wallets etc.
Cybersecurity concerns continue to pose a serious threat, particularly in nations like India, where many Internet users are not aware of these security problems. Many cybercriminals are figuring out how to con people through messaging services like WhatsApp. Scammers typically attempt to trick users into sharing private OTPs (one-time passwords) or logging onto shady websites.
Cybercriminals are also notorious for using loopholes in software and devices to harm users or infect user devices using malware to steal their data. On June 1, US security experts reported that hackers were stealing the data of several users from the systems of the well-known file transfer tool MOVEit Transfer. A day before, the developer of this software reported about a security flaw in it.
Even a new Trojan malware called ‘SpinOk’ was discovered by the researchers at Dr Web in collaboration with BleepingComputer. It reportedly affected as many as 101 applications on Google Play Store.
