Google has removed 49 malicious Chrome extensions from its Web Store following concerns that they were stealing cryptocurrency.
As reported by ZDNet (opens in new tab), the malicious extensions all posed as cryptocurrency wallet apps but were actually stealing private keys to crypto-wallets as well as users' cryptocurrency.
The extensions were uncovered by MyCrypto's director of security Harry Denley, who noted that all 49 offerings appear to have been created by either the same person or group of people, believed to be a Russian-based threat actor. Additionally all of the extensions have the same functionality but their branding changes based on who they are targeting.
- Hundreds more malicious Google Chrome extensions taken down
- Hackers impersonate top VPN to steal cryptocurrency
- These are the best mining PCs
Denley was able to identify malicious extensions impersonating many well known crypto-wallet apps including Ledger, Trexor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeepKey.
Malicious crypto-wallet extensions
All of the 49 malicious extensions function almost identically to legitimate ones except for the fact that any data entered by a user while setting them up was sent to the attacker's servers or to a Google Form.
While the attackers already have all of the information they need to start stealing users' cryptocurrency, Denley conducted a test in which he found that the funds from his crypto-wallet were not immediately stolen. He believes this is because the threat actor is either interested in only stealing from high-value targets or they haven't figured out how to automate the operation and need to manually access each account.
In a Medium post (opens in new tab), MyCrypto explained that there has been an increase in malicious extensions targeting cryptocurrency over the past few months, saying:
“An analysis from our dataset suggests the malicious extensions started to hit the store slowly in February 2020, increased releases through March 2020, and then rapidly released more extensions in April 2020. This means that either our detection is getting much better, or that the number of malicious extensions hitting browser stores to target cryptocurrency users is growing exponentially. An analysis from our dataset suggests Ledger is the most targeted brand — without speculating, it’s hard to say why.”
Since the threat actor behind these malicious extensions has yet to be caught, they may likely try to launch a similar scheme in the future.
- We've featured the best antivirus apps for Android (opens in new tab).
- Also check out these best privacy apps for Android (opens in new tab).
Via ZDNet (opens in new tab)
