Google Removes Malicious Chrome Extensions With Over 500K Installs

google chrome extensions malicious

Chrome isn’t Chrome without the cool and nifty extensions that help you get the most of the browser experience. But this very fact can also be exploited by malicious coders to intrude on your PC and personal info.

Well, the researchers over at security firm ICEBRG identified 4 malicious extensions, with a total of about 500k downloads, by observing an unexpected spike in outbound traffic volume from a customer’s computer. They backtracked the requests the extensions were sending through the browsers to pinpoint what all extensions were acting out of line.

chrome extension

This hunt led the researchers to the first malicious extension, an extension called Change HTTP Request Header. The other three extensions uncovered to be a part of the malicious activity were Nyoogle, Stickies, and Lite Bookmarks. They suspect that these extensions were part of a “click-fraud scam”, which provided the intruders with monetary gains based on the total number of clicks.

But the researchers point out that the extensions weren’t themselves the ones to include the malicious code or spread the same across your systems. It added that there were 2 points of concern with the said extensions, which enabled the code injection and execution, by combining it with a file fetched from an external server. ICEBRG explained the functioning of the malicious extensions in its official blog as under:

“By design, Chrome’s JavaScript engine evaluates (executes) JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP).

When an extension does enable the ‘unsafe-eval’ permission to perform such actions, it may retrieve and process JSON from an externally-controlled server. This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request”

All the infected extensions, reported privately by ICEBRG have now been removed from the Chrome Web Store. They also reported the malicious extensions to both the National Cyber Security Centre in the Netherlands and the US-CERT.

With the insistent reports of new malicious programs trying to infect the computers, it has become increasingly essential for tech giants to strictly enforce cyber-security features into their software. Chrome is touted to be one of the most secure browsers but as you can see it is also not completely free from the reach of intruders. So, if you’d any of the extensions downloaded on your browser, I’d suggest you perform a clean install.

comment Comments 0
Leave a Reply