Report: Chrome extensions hiding spyware were downloaded more than 32 million times

The extensions claimed to protect users from dangerous sites. But they actually did quite the opposite.

Digital crime by an anonymous hacker

New research has uncovered more than one hundred extensions for Google Chrome that covertly stole users' login credentials and browsing history. Cybersecurity firm Awake Security discovered the malicious extensions, which purported to protect users by monitoring for suspicious sites and were downloaded over 32 million times in aggregate.

Deja vu — Google removed most of the extensions after they were unmasked as fraudulent, but the case is yet another example of dangerous malware making its way onto the Chrome Web Store. Earlier this year Google had to remove 49 extensions after they were found to be stealing cryptocurrency by pretending to be official wallets from legitimate companies. The fake wallets would ask users to log-in to a legitimate provider and then once authenticated, sent their private wallet keys to a Russia-based hacker.

An example of a malicious extension identified by Awake Security.

The new malware — Awake Security says the implications of extension-based malware are particularly fraught today as business applications increasingly move from the OS-level to the browser. Google Docs, Zoom, Facebook, and Slack all offer web-based versions, and all are used to transmit sensitive communications. Some of the malicious extensions Awake discovered were capable of capturing screenshots and logging a user's keystrokes, passively sending data off to remote servers. In order to avoid detection from security software that labels domains as suspicious, the extensions would route their traffic through several domains before reaching the final destination.

Awake calls malicious browser extensions "the new attacker rootkit," giving an attacker virtually unfettered access to a victim's business and personal life. Browser extensions could be used for government espionage or by organized crime to steal banking credentials.

Some blame for the incident was placed on GalComm, an Israel-based domain registrar. Many of the domains used to siphon off data through the extensions were registered through GalComm, and Awake says the firm ignored its communications alerting GalComm to the malicious activity.

Google, predictably, told Reuters in a statement that it is using information found in the code of the malicious extensions in order to learn and better detect suspicious software in the future.

Use common sense — The takeaway here is that downloading browser extensions comes with the same security risks as desktop applications. Google does not vet everything that arrives on its Web Store, so you need to use some of your own common sense when downloading extensions. Don't install anything that looks sketchy or doesn't come from a reputable firm, and maybe take a look through all the extensions you've installed in the past and delete anything you're not using. Enabling two-factor authentication will also help block attackers from using any credentials they're able to grab.