Security researchers from Trend Micro have recently announced the discovery of malicious extensions that allow attackers to direct traffic to advertisements, track online activities, and introduce cryptocurrency mining codes. The malicious extensions are dubbed as Droidclub extensions, and the add-ons are also capable of recording the personal information of the user. The Droidclub addons, according to Trend Micro, are primarily distributed through advertisements that inform users to download and install an extension into their browsers. After the addon has been installed by the user, the software will automatically contact a Command and Control (C&C) server every five minutes in order to obtain the necessary configuration code.
The Droidclub extensions are capable of injecting advertisements to the websites that the user visits. For example, the add-ons repeatedly pop up a new tab which displays advertisements and the extensions are also capable of introducing code that changes specific keywords on the web page into links to advertisements. These extensions can also take advantage of the session replay script from the legitimate web analytics library developed by Yandex Metrica in order to record sensitive personal data. The session replay script can record the mouse clicks, scrolling, and keystrokes made by the user, allowing companies to evaluate how people view their websites. However, the script can also be utilized by attackers in order to steal personal data like credit card information, names, email addresses, and mobile phone numbers. Meanwhile, older versions of the extensions also transform the browser into a Monero cryptocurrency miner. However, more recent versions of the add-on do not inject the mining code.
Droidclub extensions are capable of preventing users from uninstalling and reporting the malicious add-ons. For example, uninstalling the add-on redirects the user to a fake extension management page which incorrectly shows that the malicious software has been successfully removed from the browser. The security firm has already informed both Google and Cloudflare regarding the malicious software. The Mountain View-based search giant stated that it had removed a total of 89 malicious extensions from the Chrome Web Store, and it had disabled the add-ons in the browsers of affected users. It is estimated that 423,992 users were affected by the malicious extensions. Meanwhile, Cloudflare has removed from its service the C&C servers that the add-ons use while system administrators also have the option to set policies that prevent employees from installing extensions.