Chrome Malicious Extension Steals Personal Data, Has Been Downloaded More Than 30 Million Times

Google’s Chrome Web Store has been hit by the biggest surveillance activity to date. As of May 2020, the campaign successfully stole data from users around the world by downloading more than 32 million malicious extensions.

The Awake Security Threat Research Group released a study that found a large-scale global surveillance campaign that uses the nature of Internet domain registration and browser capabilities to monitor and steal data from users in multiple regional and industry segments. Research shows that this criminal activity is facilitated by a single Internet domain registrar: CommuniGal Communication Ltd. (GalComm).

It added that GalComm had enabled malicious activity by taking advantage of its trust as a domain name registrar and that the malicious activity had been detected on more than 100 networks inspected. In addition, even in complex organizations that have invested heavily in network security, malicious activity can be hidden by by bypassing multiple layers of security controls.

In its report, Awake noted that there were 26,079 accessible domains registered with GalComm, of which more than 15,000 domains were malicious or suspicious.

In the past three months alone, it has collected 111 malicious or fake Chrome extensions using the GalComm domain, which are used for the attacker’s command and control infrastructure and/or as an extension’s loader page. These extensions can take screenshots, read clipboards, obtain credential tokens stored in cookies or parameters, and get keystrokes (such as passwords) from users.

Chrome Malicious Extension Steals Personal Data, Has Been Downloaded More Than 30 Million Times

Example of luring the installation of a malicious Chrome extension

As of May 2020, the 111 malicious extensions had 32,962,951 downloads. Awake said it has partnered with Google to remove the extensions from the Chrome Web Store.

In response, GalComm’s head, Moshe Fogel, said in a communication with Reuters that “Galomm is not involved in any malicious activity, and on the contrary, we work with law enforcement and security agencies to prevent it as best we can.” After Wake Security published its report listing all the suspect domain names, Moshe Fogel also said that their usage was almost inactive and that other domain names would continue to be investigated.

More information about the report can be found at: