NewsNukem
Breaches

Over 100 malicious Chrome extensions found stealing data and creating backdoors

April 16, 20266 min read3 sources
Share:
Over 100 malicious Chrome extensions found stealing data and creating backdoors

A Coordinated Campaign Uncovered

In a significant discovery, researchers from Wandera (now part of Check Point) uncovered a large-scale malicious campaign operating directly within the Google Chrome Web Store. The operation involved over 100 distinct browser extensions that, while masquerading as useful utilities, were secretly designed to steal user data and establish a persistent backdoor on victims' machines. According to Wandera's initial report, these extensions had been installed by more than four million users globally, highlighting the campaign's extensive reach and the inherent trust users place in official application marketplaces.

The threat actors behind this scheme published the extensions through at least five different developer accounts, creating a facade of legitimacy and diversity. However, technical analysis revealed a clear link: a shared Command and Control (C&C) infrastructure. This common backbone confirmed that the seemingly disparate applications were all part of a single, coordinated effort to compromise a massive user base. Following the disclosure, Google took action and removed the identified malicious extensions from its store.

Technical Analysis: Deception and Data Exfiltration

The primary attack vector was social engineering, enticing users to install extensions that promised functionality like PDF conversion, ad blocking, or file management. The success of this tactic hinges on the browser extension permission model. During installation, these extensions requested broad permissions, such as the ability to "read and change all your data on the websites you visit," which many users grant without fully considering the implications.

Once installed, the extensions initiated their malicious functions, which were twofold:

  1. Data Theft: The extensions were programmed to exfiltrate a wide range of sensitive user information. This included comprehensive browsing history, search engine queries, IP addresses, and geolocation data (country, city, zip code). This information provides a detailed profile of a user's habits, interests, and physical location, which is highly valuable on underground markets.
  2. Backdoor Functionality: Perhaps more alarmingly, the extensions established a persistent communication channel with attacker-controlled C&C servers. This backdoor gave the operators remote control over the user's browser. They could push commands to redirect users to malicious sites, such as phishing pages designed to steal credentials, or force them to view unwanted advertisements. This capability also opened the door for executing arbitrary code, potentially leading to the installation of more severe malware like ransomware or spyware.

A key indicator of the coordinated nature of this attack was the use of a common set of C&C domains across all extensions. According to Wandera's research, domains like adsrv.mobi, cloudserv.info, and adnet.online were central to the operation's infrastructure. This shared architecture allowed the attackers to efficiently manage their vast network of compromised browsers from a central point. The malicious code itself was often obfuscated, a common technique used to evade automated detection systems employed by the Chrome Web Store.

Impact Assessment: From Individuals to Enterprises

The impact of this campaign is far-reaching, affecting both individual users and the organizations they work for.

For the more than four million individuals who installed these extensions, the immediate consequence is a severe breach of privacy. The theft of browsing history and search queries can expose sensitive personal information, political leanings, health concerns, and financial activities. This data can be used for highly targeted scams, identity theft, or blackmail. The backdoor functionality put these users at direct risk of financial fraud through phishing and potential infection with other forms of malware.

For organizations, the threat is equally severe. When employees use compromised devices for work, whether they are corporate-issued or personal devices used for remote access, they create a weak point in the company's security posture. A compromised browser can expose corporate credentials, session cookies for cloud applications, and sensitive internal data. The exfiltrated IP addresses and browsing habits could provide threat actors with valuable reconnaissance for launching more sophisticated, targeted attacks against an organization. An employee's compromised browser can effectively become an entry point into the corporate network.

How to Protect Yourself

While Google has removed the identified extensions, the threat of malicious browser add-ons persists. Users must remain vigilant and adopt a defensive mindset when managing their browsers. Here are several actionable steps to enhance your security:

  • Conduct a Browser Extension Audit: Regularly review the extensions you have installed. In Chrome, you can do this by typing chrome://extensions into your address bar. Scrutinize each one and ask yourself if you truly need it and if you trust its developer. Remove any extension that is unfamiliar, no longer used, or seems suspicious.
  • Vet Before You Install: Before adding any new extension, do your due diligence. Look for extensions from reputable, well-known developers. Read recent user reviews carefully, paying attention to negative feedback that describes unexpected behavior like pop-up ads or browser redirects.
  • Scrutinize Permissions: This is one of the most important steps. When you install an extension, the browser will show you a list of permissions it requires. Be critical. Does a simple PDF converter really need to read and change data on every website you visit? If the permissions seem excessive for the extension's stated function, do not install it.
  • Use Layered Security: Rely on more than just your browser's built-in protections. A quality endpoint security suite can help detect and block malicious activity originating from a browser. Furthermore, using a VPN service can help protect your privacy by masking your true IP address, which was one of the key data points targeted in this campaign. Strong encryption is a fundamental component of digital defense.
  • For Businesses: Enforce Policies: Organizations should establish clear policies regarding the use of browser extensions on corporate devices. This may include creating an approved "allowlist" of extensions required for business operations and blocking all others. Employee education on the risks of browser extensions is also essential.

This incident serves as a stark reminder that even official application stores are not immune to malicious actors. Browser extensions are powerful tools that execute with a high level of privilege within your browser, making them a prime target for abuse. A healthy dose of skepticism and proactive management are your best defenses against this pervasive threat.

$ vpn --status: UNPROTECTED

Your connection is exposed.

Encrypt your traffic with hide.me VPN — trusted by security professionals.

Get Protected →

sponsored

Share:

// FAQ

What specific data did these malicious Chrome extensions steal?

The extensions were designed to exfiltrate a wide range of personal information, including your complete browsing history, search engine queries, IP address, and detailed geolocation data such as your country, city, and zip code.

Google removed the extensions from the store. Am I still at risk if I had one installed?

Yes. While Google's action prevents new installations, it does not automatically remove the extension from the browsers of users who had already installed it. You must manually audit your extensions and remove any malicious ones to eliminate the threat.

How can I check which extensions are installed on my Chrome browser?

You can view, manage, and remove your installed extensions by typing `chrome://extensions` into your Chrome address bar and pressing Enter. This will display a full list of all add-ons currently installed on your browser.

Are all browser extensions dangerous?

No, not at all. The vast majority of browser extensions are safe and provide valuable functionality. However, because they require permissions to operate, they represent a potential security risk. The key is to only install extensions from reputable developers and to carefully review the permissions they request before installation.

// SOURCES

// RELATED

Kraken extortion attempt highlights the fine line between security research and crime
Breaches

Kraken extortion attempt highlights the fine line between security research and crime

Cryptocurrency exchange Kraken revealed an extortion attempt after a “researcher” exploited a bug to steal $3M, blurring the line between hacking and

6 min readApr 15
Over 100 Chrome extensions caught stealing user accounts and data
Breaches

Over 100 Chrome extensions caught stealing user accounts and data

Over 100 malicious Chrome extensions with 1.6M+ downloads were found stealing Google OAuth tokens, enabling full account takeover and ad fraud.

5 min readApr 15
Rockstar Games data leaked online following breach at analytics partner
Breaches

Rockstar Games data leaked online following breach at analytics partner

Data allegedly belonging to Rockstar Games has been leaked by the ShinyHunters gang after a breach at third-party analytics vendor Anodot.

6 min readApr 14
Passport numbers for more than 300,000 leaked during December Eurail data breach
Breaches

Passport numbers for more than 300,000 leaked during December Eurail data breach

Eurail.com suffered a major data breach, exposing passport numbers and other PII for over 300,000 customers after a hacker exploited an exposed API to

6 min readApr 12