Google Chrome application icon on phone showing spyware campaign using Chrome extensions

Millions Impacted by Spyware Campaign Through Malicious Google Chrome Extensions

Security researchers at Awake Security discovered a new security threat targeting over 2 billion users of the Google Chrome browser. The firm discovered 111 fake Google Chrome extensions that gathered over 32 million downloads on the Chrome Web Store. The extensions connected to thousands of malicious domains sharing users’ sensitive information with third parties.

Most of the spyware in question claimed to offer various services, such as providing online security or converting files from one format to another. The security firm that discovered the Web store compromise said the campaign was the most extensive to hit Google Chrome Web Store ever.

Largest Google Chrome extensions spyware campaign

Awake co-founder and chief scientist, Gary Golomb, said the campaign was the largest of its kind ever to hit the Alphabet-owned company. However, both the security experts and Google could not identify the entities behind the chrome extensions spyware campaign because the threat actors submitted false contact information when publishing the chrome extensions on the Google Web Store.

Publishers of the malicious Chrome extensions designed them to avoid detection by Google automated review systems and users’ antivirus software. Some of the extensions installed the open-source Chromium browser instead of the official Google Chrome so they could install and run other extensions that the official browser did not allow.

The extensions could also take screenshots of user screens, access users’ clipboards, and collect form input, including login credentials, according to Awake Security.

The malicious extensions targeted home network users who do not enjoy the elevated levels of security offered by corporate networks. When home users used Google Chrome to access the internet, the spyware Chrome extensions would connect to over 15,000 malicious domains operated by the hackers to transmit the user’s information.

Contrarily, the extensions did not transmit information when users accessed the internet from corporate networks. They also did not connect to malicious websites for corporate network users.

All the malicious domains were linked to each other and belonged to a small registrar, Galcomm, located in Israel. Awake Security said 60% of all domains registered by the Galcomm were either malicious or suspicious and should have been detected, thus indicating complicity in the affair. However, Galcomm owner, Moshe Fogel, denied that his company was involved in the Chrome extensions spyware campaign.

Fogel disputed that Awake Security had made complaints in April and May regarding the abuse taking place at his company. He added that his company always cooperated with law enforcement officers in preventing such crimes. Fogel claimed that 25% of the domains mentioned in the discovery did not belong to Galcomm or had been deleted and said his company would take action against Awake Security.

Internet Assigned Numbers Authority (IANA) said it had received various complaints regarding the domain registrar but none related to the current spyware campaign or malware distribution.

Response from Google

When contacted by Reuters, Google declined to disclose the extent of the spyware campaign or why it failed to detect the spyware independently. Instead, the company released a statement saying it conducts regular sweeps to find extensions using similar techniques, code, and behaviors.

Speaking on behalf of Google, Scott Westover told Reuters that whenever the company was alerted of extensions in the Web Store that violate its policies, it took action and use those incidents as training material to improve “our automated and manual analyses.” The spokesperson added Google removed over 70 of the malicious chrome extensions within the past month after receiving information from the researchers.

Google Web Store has been a lucrative target for cybercriminals. In 2018, the company discovered that for every ten submissions, one was malicious. And the company has promised it would increase human review efforts to get rid of spyware and malware. Additionally, the internet search giant limited the installation of Chrome extensions from third-party websites to protect its users from unverified apps.

The current spyware campaign is not the first to hit Google Chrome Web Store. In February, Jamila Kaya working in collaboration with Cisco Systems, revealed a similar tactic that stole data from over 1.7 million Google Chrome users. Their revelation led to the removal of over 500 malicious extensions from the Web Store. Google maintains it has a zero-tolerance policy towards spyware and that it checks software and chrome extensions to eliminate the ones that would negatively affect user’s experience.

Difficulty of policing Chrome extensions

Browser extensions have been used to carry out cyberattacks by both state-sponsored and independent threat actors. While no evidence links the current campaign to state sponsorship, the high level of organization and complicity could not rule out the possibility. Although the malicious extensions targeted home internet users, they still posed a considerable risk to corporates during the current work from home environment when workers use home internet to access their companies’ IT infrastructure.

Craig Young, a computer security researcher for Tripwire’s vulnerability and exposure research team (VERT) commented that: “The proliferation of browser extensions as conduits for all manner of online activity has been absolutely terrible for security. Chrome generally does well at resisting compromise from sophisticated exploits but extensions can undermine this security completely.”

“The other problem is that malicious developers can frequently implement legitimate functionality to explain permission requests, which are then used to steal data or attack the user. Chrome and other browsers, unfortunately, offer very little in the way of technology to monitor the behavior of an extension at runtime, so it becomes next to impossible to notice if an extension is interacting with sites or user data in unexpected ways,” added Young.

It is not realistic to rely on policing of the Chrome Web Store to reduce extension malware and Young advises users to check for permissions when installing browser extensions to understand what resources they are likely to access.

Young further recommends that developers add “interstitial permission requests or visual indicators as extensions read or manipulate browser content could further improve the situation by adding more chances for the end-user to notice and object to malicious activity.”