Wladmimir Palant, former developer of Adblock Plus, warns of malicious browser extensions in Google’s Chrome Web Store in his blog. Avast has confirmed the findings. Google has since removed a large proportion of the affected browser add-ons from the store. In the web browsers, however, users have to do it themselves to uninstall them.
As Palant explains in his analysis, in addition to one malicious PDF toolbox extension, he has consistently found others with similar obfuscated malicious code. By last Thursday, he had already tracked down 34 extensions that came to around 87 million users. The most popular are Autoskip for Youtube, Crystal Ad block and Brisk VPN, each with more than five million users. Google has even listed most of these malware add-ons as “Recommended” in the store.
Chrome Web Store: Manipulated reviews
Together with Lukas Andersson, Palant tracked down other malicious extensions because they used manipulated reviews in the Chrome Web Store. They showed similar patterns in the reviews. By Friday, Google had removed the finds from the store except for eight extensions.
While the extensions do provide the advertised features, the developers have infused them with additional malicious code. It enables the website serasearchtop[.]com to inject arbitrary Javascript code into all visited websites. This will probably be misused to inject advertising, but other malicious attacks are conceivable. However, the extensions wait 24 hours before starting the access to the website with the javascript, so as not to arouse suspicion, explains Palant in a malicious code analysis. However, he never received the specifically downloaded JavaScript, so he cannot provide any more detailed investigation results for the other malicious functions.
However, Avast has confirmed Palant’s findings and states that the browser extensions would distribute adware and manipulate search results. Due to the low number of ratings, the virus analysts assume that the number of installations was manipulated.
The list of app names and extension ID is in another blog post included by Palant. Chrome users should check if they have one or more of the extensions installed and remove them if they are. According to Google Palant, automatic uninstallation has not been activated.
Browser extensions are not often the focus of IT security researchers. About a year ago, a malicious Chrome extension called ChromeLoader became known. It could redirect traffic and siphon data.
(dmk)