Malicious Chrome, Edge extensions with 3M installs still in stores

Malicious Chrome and Edge browser extensions with over 3 million installs, most of them still available on the Chrome Web Store and the Microsoft Edge Add-ons portal, are capable of stealing users' info and redirecting them to phishing sites.

The malware-laced extensions found by Avast Threat Intelligence researchers are designed to look like helper add-ons for Instagram, Facebook, Vimeo, and other high-profile online platforms.

Malicious activity going back at least two years

While Avast spotted the extensions in November 2020, they estimate that they could have been used for malicious purposes for years given that some Chrome Web Store reviewers have reported link hijacking starting with December 2018.

Malicious code for delivering additional malware payloads on the users' systems was also detected by Avast researchers.

"Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit," the report says.

"The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)."

The end goal of the threat actors behind these web browser extensions is focused on monetizing the users' traffic by automatically redirecting them to third-party domains.

However, as already mentioned above, these extensions are also able to redirect infected targets to sites filled with ads or used as phishing landing pages.

Hard to spot malicious activity

"The extensions' backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover," Avast malware researcher Jan Rubín explained.

Since it can hide, the malware injected within the extensions has made it a lot harder for both researchers and infected users.

Among the tactics used to evade detection, the malware will monitor what the victims search and will not activate if they are looking for info on one of its domains.

It will also avoid infecting web developers who have the knowledge to spot it and examine the extensions' malicious background activity.

The full list of malicious Chrome and Edge extensions found by Avast, some of them still available for download, can be found below.

Direct Message for Instagram
Direct Message for Instagram™
DM for Instagram
Invisible mode for Instagram Direct Message
Downloader for Instagram (1,000,000+ users)
Instagram Download Video & Image
App Phone for Instagram
App Phone for Instagram
Stories for Instagram
Universal Video Downloader
Universal Video Downloader
Video Downloader for FaceBook™
Video Downloader for FaceBook™
Vimeo™ Video Downloader (500,000+ users)
Vimeo™ Video Downloader
Volume Controller
Zoomer for Instagram and FaceBook
VK UnBlock. Works fast.
Odnoklassniki UnBlock. Works quickly.
Upload photo to Instagram™
Spotify Music Downloader
Stories for Instagram
Upload photo to Instagram™
Pretty Kitty, The Cat Pet
Video Downloader for YouTube
SoundCloud Music Downloader
The New York Times News
Instagram App with Direct Message DM

"Our hypothesis is that either the extensions were deliberately created with the malware built-in, or the author waited for the extensions to become popular, and then pushed an update containing the malware," Avast malware researcher Jan Rubín concluded.

"It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterward."

Both Microsoft and Google are currently looking into Avasy's findings but, until they are removed, users should disable or uninstall the extensions and then scan for any malware infections

Related Articles:

Microsoft Authenticator brings password autofill to mobile devices

Microsoft: New malware can infect over 30K Windows PCs a day

Microsoft Edge gets a performance boost with sleeping tabs

Android apps with 200 million installs vulnerable to security bug

Microsoft really wants you to stop using Internet Explorer