Security researcher Jamila Kaya checks daily for content related to digital threats online and stumbles upon large malware operations against Google Chrome extensions. The incident triggered a two-month investigation that led Google to clean up more than 500 extensions in its online app stores. Unfortunately, more than 1.7 million Chrome users have installed the first problem extensions she found.
Infographic (from: Google, via BGR)
In the newly released report, it reveals a large-scale malware activity that has been active for at least two years and is fairly active.
Jamila Kaya first contacted the Cisco Duo security team and asked a number of questions about the Chrome extension.
It turned out that these extensions were infected with browsers and involved some data breaches of some of the larger activities.
These extensions are often presented in the form of ‘advertising as a service’, the report notes. Jamila discovered that they were part of a shanzhai plug-in network and had almost the same functionality.
By collaborating, security personnel worked with CRXcavator.io to study dozens of extensions, eventually identifying 70 matching patterns among 1.7 million users, and then reporting the issues to Google.
The Duo team added: “Others are increasingly wearing legitimate cloaks to cover up their malicious behaviour on the Internet.”
The most abused are the use of advertising cookies and the redirects in them. As a ‘malicious advertising’ technology, it is difficult to find outside.
Malicious advertising often appears in other programs in a variety of forms, including ad fraud, data breaches, phishing, and surveillance and exploitation.
It is also often seen in most malicious activities involving advertising phones and fraud.
It is reported that the code in these malicious extensions sometimes redirects users to rebate links to sites such as Dods Buy or Macy’s, or sites that may host malware.
Google also responded by reporting the issue. A company spokesman said Google would issue warnings and take action when it found a violation of its policies.
In addition, the company performs regular initiated scans to check if similar techniques and code abuse are included in the extension.