In a recent discovery, three deceitful Chrome extensions, posing as VPNs (Virtual Private Networks), have been downloaded a staggering 1.5 million times.
Malicious Chrome Extensions Masquerading as VPNs Infect 1.5 Million Users
These extensions, initially appearing as browser hijackers, cashback hack tools, and data stealers, have raised significant security concerns.
ReasonLabs, a cybersecurity expert company promptly notified Google of their findings, prompting the removal of the malicious extensions from the Chrome Web Store.
Unfortunately, after the extensions had already amassed 1.5 million downloads.
AV check (Image by ReasonLabs)
Characteristics and Properties of the Malware
One noteworthy aspect of the malicious extension is the deceptive use of a realistic VPN user interface, complete with certain functionalities and a paid subscription option, creating a false sense of authenticity among users.
Code analysis further reveals that the extensions possess extensive access rights, including permissions such as “tabs,” “storage,” “proxy,” “webRequest,” and “cookies.”
Notably, the ‘offscreen’ permission is exploited to enable the malware to run scripts through the Offscreen API, interacting stealthily with the web pages’ current DOM (Document Object Model).
This heightened access allows the malicious extensions to engage in various malicious activities like:
- stealing sensitive user data
- performing browsing hijacks
- manipulating web requests
- disabling other browser extensions
One major concern is the extension’s ability to disable competing cashback and coupon extensions on the infected device, redirecting profits to the attackers.
Over 100 cashback extensions, including well-known ones like Avast SafePrice, AVG SafePrice, Honey, and LetyShops, are reported to be targeted by this malware.
The communication between the malicious extensions and their command and control (C2) servers involves data exchange related to instructions, victim identification, and exfiltration of sensitive data.
This incident underscores the substantial security risks associated with web browser extensions, many of which employ sophisticated obfuscation techniques to conceal their true nature.
Users are advised to regularly audit their browser extensions, checking for new reviews in the Chrome Web Store to identify potentially malicious behavior reported by others.
Vigilance in monitoring and managing browser extensions is crucial to ensuring a secure online experience.
is a professional SEO specialist and a digital marketer. He also happens to be an accomplished content writer, website designer and digital strategist. Vicente’s clients love him for his unwavering dedication to their success, as well as his witty, intelligent demeanor. When he’s not helping businesses achieve their online marketing goals, Vicente can be found reading up on the latest SEO trends or spending time with his two sons.