A host of malicious Google Chrome extensions with 75 million installs have been removed

Silhouette of a hand holding a padlock infront of the google chrome logo
(Image credit: Shutterstock / Ink Drop)

Late last week, Google confirmed removing 34 malicious extensions from its Chrome Web Store. The extensions were capable of injecting ads into pages and exfiltrating sensitive data from compromised endpoints. In total, the extensions were downloaded more than 75 million times.

As reported by BleepingComputer, the malware was first spotted by cybersecurity researcher Wladimir Palant who, after analyzing the PDF Toolbox extension, discovered that it included a hidden code.

This allowed a domain called serasearchtop[.]com to inject arbitrary JavaScript code into any website that the user visits. The code would activate 24 hours after the extension was installed - typical malware behavior, the publication said.

Millions of users

Palant quickly discovered more malicious extensions, bringing the number up to 18. At first, he wasn’t able to determine any malicious activity, although the speculation was that the extensions injected ads into websites.

Soon after that, cybersecurity researchers from Avast chimed in, expanding the list to 32 entries in total. Some of the most popular extensions include Autoskip for YouTube which has 9 million active users, Soundboost with 6.9 million, and Crystal Ad block with 6.8 million.

The full list of the malicious extensions can be found on here. Palant says 34 extensions in total were found to be malicious. User reviews on the Web Store suggest that the extensions were redirecting users to different websites, hijacking search results, and displaying unwanted ads. 

Google has responded to inquiries on the matter, claiming the reported extensions were removed from the store.

“The Chrome Web Store has policies in place to keep users safe that all developers must adhere to," the Google representative told BleepingComputer.

While the extensions have been removed from the store, users are still vulnerable until they remove them from their endpoints manually, so if you have any, make sure to remove them as soon as possible.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.