Hundreds more malicious Google Chrome extensions taken down

(Image credit: Pixabay)

Google has removed over 500 malicious Chrome extensions from its official Web Store.

The extensions, which have now been removed from the Web Store and deactivated in users' browsers, injected malicious ads into users' web browsing sessions. The malicious code injected by the extensions was set to activate under certain conditions and redirect users to specific sites.

While at times the extensions would lead users to legitimate sites such as Macy's, Dell or BestBuy through affiliate links, they also led users to known malware download sites or phishing pages.

According to a new report from Cisco's Duo Security team and independent security researcher Jamila Kaya, the extensions were part of a larger malware operation that has been active for at least two years. However, the research team behind the report also believes the group behind this operation may have been active since the early 2010s.

Malicious Chrome extensions

The operation was discovered by Jamila Kaya who first found the malicious extensions while threat hunting when she noticed a common URL pattern in visits to malicious sites.

Kaya then used a service for analyzing Chrome extensions called CRXcavator that helped her locate the initial group of extensions which share a nearly identical codebase but used generic names to mask their true activity. She provided further insight on her discovery in an interview with ZDNet in which she said:

"Individually, I identified more than a dozen extensions that shared a pattern. Upon contacting Duo, we were able to quickly fingerprint them using CRXcavator's database and discover the entire network. We subsequently reached out to Google with our findings, who were receptive and collaborative in eliminating the extensions." 

According to Cisco Duo, the first set of extensions was installed by over 1.7m Chrome users. However, Google launched its own investigation and found even more extensions that fit the same pattern which led to the search giant banning over 500 extensions.

Google has removed the malicious Chrome extensions from its official Web Store as well as deactivated them inside users' browsers to prevent even more users from falling victim to this malvertising scam.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.