Malicious Chrome and Edge browser extensions with over 3 million installs, most of them still available on the Chrome Web Store and the Microsoft Edge Add-ons portal, are capable of stealing users' info and redirecting them to phishing sites.
The malware-laced extensions found by Avast Threat Intelligence researchers are designed to look like helper add-ons for Instagram, Facebook, Vimeo, and other high-profile online platforms.
While Avast spotted the extensions in November 2020, they estimate that they could have been used for malicious purposes for years given that some Chrome Web Store reviewers have reported link hijacking starting with December 2018.
Malicious code for delivering additional malware payloads on the users' systems was also detected by Avast researchers.
"Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit," the report says.
"The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)."
The end goal of the threat actors behind these web browser extensions is focused on monetizing the users' traffic by automatically redirecting them to third-party domains.
However, as already mentioned above, these extensions are also able to redirect infected targets to sites filled with ads or used as phishing landing pages.
"The extensions' backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover," Avast malware researcher Jan Rubín explained.
Since it can hide, the malware injected within the extensions has made it a lot harder for both researchers and infected users.
Among the tactics used to evade detection, the malware will monitor what the victims search and will not activate if they are looking for info on one of its domains.
It will also avoid infecting web developers who have the knowledge to spot it and examine the extensions' malicious background activity.
The full list of malicious Chrome and Edge extensions found by Avast, some of them still available for download, can be found below.
"Our hypothesis is that either the extensions were deliberately created with the malware built-in, or the author waited for the extensions to become popular, and then pushed an update containing the malware," Avast malware researcher Jan Rubín concluded.
"It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterward."
Both Microsoft and Google are currently looking into Avasy's findings but, until they are removed, users should disable or uninstall the extensions and then scan for any malware infections