In a recent discovery, three deceitful Chrome extensions, posing as VPNs (Virtual Private Networks), have been downloaded a staggering 1.5 million times.

Malicious Chrome Extensions Masquerading as VPNs Infect 1.5 Million Users

These extensions, initially appearing as browser hijackers, cashback hack tools, and data stealers, have raised significant security concerns.

ReasonLabs, a cybersecurity expert company promptly notified Google of their findings, prompting the removal of the malicious extensions from the Chrome Web Store.

Unfortunately, after the extensions had already amassed 1.5 million downloads.

screen shot of an AV check by ReasonLabs

AV check (Image by ReasonLabs)

Characteristics and Properties of the Malware

One noteworthy aspect of the malicious extension is the deceptive use of a realistic VPN user interface, complete with certain functionalities and a paid subscription option, creating a false sense of authenticity among users.

Code analysis further reveals that the extensions possess extensive access rights, including permissions such as “tabs,” “storage,” “proxy,” “webRequest,” and “cookies.”

Notably, the ‘offscreen’ permission is exploited to enable the malware to run scripts through the Offscreen API, interacting stealthily with the web pages’ current DOM (Document Object Model).

This heightened access allows the malicious extensions to engage in various malicious activities like:

  • stealing sensitive user data 
  • performing browsing hijacks 
  • manipulating web requests 
  • disabling other browser extensions

One major concern is the extension’s ability to disable competing cashback and coupon extensions on the infected device, redirecting profits to the attackers.

Over 100 cashback extensions, including well-known ones like Avast SafePrice, AVG SafePrice, Honey, and LetyShops, are reported to be targeted by this malware.

The communication between the malicious extensions and their command and control (C2) servers involves data exchange related to instructions, victim identification, and exfiltration of sensitive data.

This incident underscores the substantial security risks associated with web browser extensions, many of which employ sophisticated obfuscation techniques to conceal their true nature.

Users are advised to regularly audit their browser extensions, checking for new reviews in the Chrome Web Store to identify potentially malicious behavior reported by others.

Vigilance in monitoring and managing browser extensions is crucial to ensuring a secure online experience.