Researcher Tip Results In Removal Of 500 Malicious Chrome Extensions


Google has pulled no fewer than 500 malicious extensions from its Chrome Web Store, according to recent reports. The move follows an extensive investigation conducted by researcher Jamila Kaya utilizing Duo Security's CRXcavator tool. The extensions were engaged in several malicious activities from browsing data theft and executing click fraud to malicious advertising.

The extensions in question were chiefly discovered because they utilized copycat code under the hood. Only a few small changes to names of internal functions were in place in many cases. They each also requested a higher-than-expected number of permissions. Those allowed the extensions to access browsing data and to run even when visiting HTTPS sites.

Despite the wide range of concerns, the majority of malicious extensions removed were being used to commit ad fraud. That entailed the extensions contacting domains, in addition to sending redirects that placed the users at malware and phishing domains. They did that without the knowledge of the user.


To Google's credit, it discovered most of the malicious Chrome extensions

While 500 malicious extensions of the approximately 190,000 extensions on the Chrome Web Store were ultimately removed, Google does deserve at least some credit here. That number represents just over 0.26-percent of the extensions on the store. And Google found most of the bad extensions itself using its own fingerprinting method.

The security researcher only found around 70 were initially using Duo Security's CRXcavator tool. All of those extensions seemed to be directly related to each other. Each also contacted similar command and control networks. More troubling, those appeared to have been designed to counter sandbox analysis.

That doesn't necessarily mean that Google's off the hook though. The extensions uncovered by Duo Security and Jamila Kaya had already been installed a total of 1.7 million times. Some of those had been on the Chrome Web Store for years. That's despite the search giant's claims that it conducts "regular sweeps" to find precisely these kinds of extensions and take them down. Namely, those using "similar techniques, code, and behaviors."


Google's track record here isn't stellar either. The company has noticed and removed malicious extensions on a near-yearly basis for some time now.

Among the most recent trouble, Google temporarily suspended paid Chrome web extensions outright in late January. That followed the discovery that some of those were being used to fraudulently complete transactions. That suspension will remain in place until a more permanent solution can be found.

Google is notifying users but users still need to remove the extensions

Users who are impacted by the extensions are being notified by Google's usual method. The extensions are being automatically disabled on the users' side in the browser. They're also being clearly marked as malicious. But the browser will not automatically remove any of the 500 malicious extensions from Chrome. That's a process users need to complete themselves.


Fortunately, that's an easy process to follow. First, users must navigate to the browser and tap or click the three-dot menu at the top-right-hand side of the UI. Then, they'll need to select the "More tools" sub-menu. From there, clicking "Extensions" will call forward a page of all installed extensions.

Each extension has its own set of buttons, labeled "Details" and "Remove," respectively. The toggle to enable or disable the extensions can be ignored. Simply tapping or clicking remove will complete the associated task. Those same steps will work in Chrome OS, Linux, Windows, and Mac desktop environments. Android devices are unaffected.