Google Axes 500 Chrome Extensions Exfiltrating User Data

Google has removed more than 500 extensions from the Chrome Web Store after they were found performing covert data exfiltration activities. 


Independent security researcher Jamila Kaya and Cisco’s Duo Labs originally identified a network of 70 copycat plugins with 1.7 million users that were infecting users’ browsers and exfiltrating data. Further investigation led to the identification of more than 500 such extensions.


The applications were marketed as offering advertising as a service, but the developers obfuscated the functionality from users to connect the infected browsers to a command and control (C&C), exfiltrate users’ private browsing data, and evade the Chrome Web Store’s fraud detection. 


The threat actor behind these extensions has been using the same infrastructure for at least one or two years, Cisco’s Duo Labs security researchers say. The plugins had nearly identical source code (only names of the functions differ), had no ratings, and each referenced to a “.com.” website that was the exact name of the plugin.


Each of these extensions requires a high, nearly identical level of permissions, which allows them to access a large amount of data in the browser. The plugins also contacted identical external sites (except for the “front” sites) and employed sandbox evasion. 


Once installed, the plugins attempt to contact the site referenced by their names on regular intervals, to receive instruction as to whether to uninstall or not. Next, they contact a C&C server to check regularly for instructions, information on where to upload data, and new domain and feed lists for advertisements and future redirects.


After receiving the new instructions, the plugins upload requested data, update their configuration, and get sent through a redirection stream.


Data is uploade ..

Support the originator by clicking the read the rest link below.