Droidclub Malware Track People's Online Activities, Show Ads

Security researchers from Trend Micro have recently announced the discovery of malicious extensions that allow attackers to direct traffic to advertisements, track online activities, and introduce cryptocurrency mining codes. The malicious extensions are dubbed as Droidclub extensions, and the add-ons are also capable of recording the personal information of the user. The Droidclub addons, according to Trend Micro, are primarily distributed through advertisements that inform users to download and install an extension into their browsers. After the addon has been installed by the user, the software will automatically contact a Command and Control (C&C) server every five minutes in order to obtain the necessary configuration code.

The Droidclub extensions are capable of injecting advertisements to the websites that the user visits. For example, the add-ons repeatedly pop up a new tab which displays advertisements and the extensions are also capable of introducing code that changes specific keywords on the web page into links to advertisements. These extensions can also take advantage of the session replay script from the legitimate web analytics library developed by Yandex Metrica in order to record sensitive personal data. The session replay script can record the mouse clicks, scrolling, and keystrokes made by the user, allowing companies to evaluate how people view their websites. However, the script can also be utilized by attackers in order to steal personal data like credit card information, names, email addresses, and mobile phone numbers. Meanwhile, older versions of the extensions also transform the browser into a Monero cryptocurrency miner. However, more recent versions of the add-on do not inject the mining code.

Droidclub extensions are capable of preventing users from uninstalling and reporting the malicious add-ons. For example, uninstalling the add-on redirects the user to a fake extension management page which incorrectly shows that the malicious software has been successfully removed from the browser. The security firm has already informed both Google and Cloudflare regarding the malicious software. The Mountain View-based search giant stated that it had removed a total of 89 malicious extensions from the Chrome Web Store, and it had disabled the add-ons in the browsers of affected users. It is estimated that 423,992 users were affected by the malicious extensions. Meanwhile, Cloudflare has removed from its service the C&C servers that the add-ons use while system administrators also have the option to set policies that prevent employees from installing extensions.

Copyright ©2019 Android Headlines. All Rights Reserved
This post may contain affiliate links. See our privacy policy for more information.
You May Like These
More Like This:
About the Author

Mark Real

Staff Writer
Mark Real has written for Androidheadlines since 2017 and is a Staff Writer for the site. Mark has a background in sciences and education. He is passionate about advancements on hardware and software technologies and its impact on people’s lives. Contact him at [email protected]
Android Headlines We Are Hiring Apply Now