The popular search engine Google has discarded more than 500 malicious Chrome extensions from its conclusive Web Store after a long investigation conducted by Cisco’s Duo Security, Jamila, and Google.
Jamila Kaya a security researcher found out a large scale campaign of copycat Chrome extensions that infected users and extract data through malvertising while attempting to avoid fraud detection on the Google Chrome Web Store. More than 500 malicious Chrome extensions have been detected and been removed by Google.
Jamila used a CRXcavator that can analyse Chrome extensions as well as helped her in discovering a network of copycat plugins sharing nearly identical functionality. After identifying a few dozens of extensions she reported to Google. Then Google and Jamila together searched the entire Chrome Web Store corpus to find out and remove more than 500 related extensions.
A Google spokesperson said, “We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses. We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”
As per a report published by Duo, these extensions used generic names to mask their true identity to have access to user’s private browsing data. This is done by showing a malicious advertisement to bypass the Google Chrome Web Store’s fraud detection system.
Jamila discovered a few dozens of extension which were found to be matched across 1.7 million users. This means that more than 1.7 million users were affected therefore points out that the Malvertising attack was on a large scale.
“Increasingly malicious actors will use legitimate internet activity to obfuscate their exploit droppers or command and control schemas. A very popular way to do this is to utilize advertising cookies and the redirects therein to control callbacks and evade detection. This technique, called “malvertising” has become an increasingly common infection vector in Jamila’s experience, and is still hard to detect today, despite being prominent for years,” the report explained.
Jamila recommends that users should regularly audit what extensions they have installed, remove those they no longer use and report ones they do not recognize these simple steps will keep you safe.
For the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App.
