Google recently announced the removal of more than 500 malicious Chrome extensions from the official online marketplace after more than two months of in-depth investigation by Jamila Kaya, a Cisco Duo Security team and security researcher. These extensions are known to inject malicious ads into a user’s browsing session.
The malicious code injected by these extensions activates under certain conditions and redirects the user to a specific page. In some cases, the redirect address may be a link to a member on a legitimate website such as Macys, Dell or BestBuy, while in other cases it may be a malicious site, such as a malware download site or a phishing page.
According to a report shared by the Duo Security team and Jamila Kaya, these malicious extensions have been on the line for at least two years. These malicious extensions were originally discovered by Kaya, who discovered that they were accessing malicious websites through a common URL pattern during a routine threat scan.
Using CRXcavator, a service used to analyze Chrome extenders, Kaya discovered the original extension cluster, which ran in almost identical code bases, but used a variety of generic names with little information about its real-world purpose.
Kaya told us: “I’ve identified a dozen extensions that use this sharing model on my own. After contacting Duo, we were able to quickly fingerprint and discover the entire network using crXcavator’s database.” According to Duo, the first extensions were installed with more than 1.7 million Chrome users.
Kaya says we then fed back to Google the results of the findings. Google then self-examined more extensions that matched the model, and then removed more than 500 extensions. It’s unclear how many users installed more than 500 malicious extensions, but the number could exceed millions.