These Four Popular Google Chrome Extensions Infect Over A Half Million Users With Malware


Security researchers have uncovered malware hidden in four different extensions for Google's Chrome browser. Collectively, the four extensions have been downloaded and installed more than half a million times, including onto workstations within major organizations globally. While likely used to commit click fraud and search engine optimization (SEO), the number of installs could provide cyber criminals with a potent botnet.

"While revenues are not known, a similar botnet uncovered in 2013 yielded $6 million per month before it was taken down," security researchers at Icebrg, a computer security firm based in Seattle, Washington, stated in a report outlining the technical details of the malware.

The researchers discovered the malware while investigating an "unusual" uptick in outbound traffic from a customer workstation to a European VPS provider. Analysis of the traffic led them to a Chrome extension called HTTP Request, which was sending outbound traffic to websites with advertising attached.

Part of what's interesting here is that on the surface, the extension did not contain any overtly malicious code. However, there two items that could enable the execution of arbitrary JavaScript code.

"By design, Chrome’s JavaScript engine evaluates (executes) JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP). When an extension does enable the ‘unsafe-eval’ permission to perform such actions, it may retrieve and process JSON from an externally-controlled server. This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request," Icebrg explained in its report.

Further investigation led Icebrg to discover similar malware residing in three other Chrome extensions, including Stickies, Lite Bookmarks, and Nyoogle. That's what led them to believe they were being used to commit click-fraud to generate revenue from web ads.

"The total installed user base of the aforementioned malicious Chrome extensions provides a substantial pool of resources to draw upon for fraudulent purposes and financial gain. The high yield from these techniques will only continue to motivate criminals to continue exploring creative ways to create similar botnets," Icebrg added.

As always, do your research before downloading a browser extension (regardless of which browser you are using) and only download extensions from trusted sources.