Google removes 106 malicious Chrome extensions that were spying on users

midian182

midian182

Posts: 9,738   +121
Staff member
What just happened? We know that malicious apps occasionally sneak their way onto the Play Store, but that’s not the only place where Google’s security is a bit lapse. The company has just removed 106 extensions from its Chrome Web Store for collecting sensitive user data.

A report from Awake Security identified 111 malicious Chrome extensions that had been downloaded almost 33 million times by May 2020—when the company contacted Google.

Most extensions purported to warn users about dangerous websites, improve web searches, and convert file formats. But their real primary function was to take screenshots, read the clipboard, gather browsing history, use keystrokes to steal passwords, and collect authentication cookies.

It’s believed that all the extensions were the work of the same unidentified bad actor as many share almost identical graphics codebases, version numbers, and descriptions. According to Awake, the creator(s) gave Google false contact information when submitting the extensions to the Chrome Web Store.

An example of a lure to install a malicious Chrome extension

The extensions were designed to avoid detection by antivirus/security software that evaluates the reputation of web domains. Researchers found that they would connect to a series of websites and transmit sensitive information. Those using Chrome on corporate networks, however, were safe as the extensions would not send the data or even connect to the malicious websites.

There were more than 15,000 malicious domains used, all of which were purchased from a small registrar in Israel called Galcomm.

“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Galcomm owner Moshe Fogel told Reuters. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”

Google has removed all but five of the malicious extensions from the Chrome Web Store. Those who installed them will find the extensions are still in their browsers, but have been disabled and marked as malware.

Permalink to story.

https://www.techspot.com/news/85700-google-removes-106-malicious-chrome-extensions-spying-users.html

 
Every visit to the In-laws usually requires a half hour of cleanup on their laptop. This last trip they somehow managed to install 3 versions of VPN software without even knowing it.

Luckily they don't do any banking, purchases of any kind on line. They search and find things they like then either my wife or myself actually purchase the items for them on a non-infected machine. Their money of course :)
 
  • Like
Reactions: p51d007
VitalyT said:
I don't get it, why was done only now? Why Google doesn't do it on regular basis?
Click to expand...
Sadly mobile App Stores are all about mindless number-chasing p*ssing contests. "We have 3 Million Apps!" The fact that 90% are junk, or that searching for "Flashlight Apps" comes up with 200 of which 10 are decent whilst 190 want permissions to access to your files, contacts, etc, is absurd. Google should not only be doing this regularly, I'd say they should verify & test each app. If the problem with that is too many apps for the testing personnel, then the whole quantity over quality store philosophy ends up being the bigger problem in itself. I'd pick a GOG-style curated approach over the current 'wall of unending cr*p' anyday.
 
  • Like
Reactions: Alfatawi Mendel, Freddie159, trparky and 1 other person
Rvnwlf said:
Every visit to the In-laws usually requires a half hour of cleanup on their laptop. This last trip they somehow managed to install 3 versions of VPN software without even knowing it.

Luckily they don't do any banking, purchases of any kind on line. They search and find things they like then either my wife or myself actually purchase the items for them on a non-infected machine. Their money of course :)
Click to expand...

I use to remote in to my parents computers to clean them up and remove crap from their systems.
Funniest was one night, my father ALWAYS goes to be around 9pm to 9;30pm. LIKE LOCKWORK. His computer was in his music room. One night around 10:30, I remoted in, cleaned up the trash, made sure the antivirus was up to date and what not. Then I opened his browser to make sure he hadn't been spoofed to install something. Opened it, and a few seconds later it closed. Thinking I might have closed it, I opened it again, and it closed. Then, my phone rang.
He said his computer was doing something weird. I played along for a few minutes then started laughing and told him I was working on his computer. Yeah, he called me a smart*ss but I told him you never stay up that late.
 
  • Like
Reactions: Freddie159 and Rvnwlf
Uncle Al said:
My question is more simple. Why didn't the author of this article give us a simple list of say, the top 50 so we don't have to go "sign up" to get the report .... sounds a bit like he's promoting the paid version of the report, doesn't it?
Click to expand...

Agree now I know what happened to my Font Changer extension this was essential for me to use chrome & because it's no longer available It's made me shift to firefox, The only decent extension is now Custom Font Changer but that does not override all website fonts In chrome.
 
I always, ALWAYS, text or call before remoting to anyones device and 99.9% of the time uninstall the software I’m using. They can install it right before I remote or at minimum setup a second and even third factor to connect. You will be much more appreciated by those you help if you do this. Besides being courteous it’s a security concern leaving A. Software installed you are not using and may not be automatically updated and B. Leaving a hole for remote access potentially open. Also, I hope they are using non-admin accounts to casually browse and only use an elevated prompt or actual login to install anything. They don’t understand how it works and assume if you can access it anyone can, in general.

To the post - yes, a list would be handy, I’ll have to look it up. Why do “corporate” networks not transmit any data? I would consider a corporate network something centrally managed with a firewall and domain controller.


p51d007 said:
I use to remote in to my parents computers to clean them up and remove crap from their systems.
Funniest was one night, my father ALWAYS goes to be around 9pm to 9;30pm. LIKE LOCKWORK. His computer was in his music room. One night around 10:30, I remoted in, cleaned up the trash, made sure the antivirus was up to date and what not. Then I opened his browser to make sure he hadn't been spoofed to install something. Opened it, and a few seconds later it closed. Thinking I might have closed it, I opened it again, and it closed. Then, my phone rang.
He said his computer was doing something weird. I played along for a few minutes then started laughing and told him I was working on his computer. Yeah, he called me a smart*ss but I told him you never stay up that late.
Click to expand...
 
I use Edge on my android phones and pc's so I don't get Chrome problems. I also run CCleaner a couple times a week.
 
BSim500 said:
Sadly mobile App Stores are all about mindless number-chasing p*ssing contests. "We have 3 Million Apps!" The fact that 90% are junk, or that searching for "Flashlight Apps" comes up with 200 of which 10 are decent whilst 190 want permissions to access to your files, contacts, etc, is absurd. Google should not only be doing this regularly, I'd say they should verify & test each app. If the problem with that is too many apps for the testing personnel, then the whole quantity over quality store philosophy ends up being the bigger problem in itself. I'd pick a GOG-style curated approach over the current 'wall of unending cr*p' anyday.
Click to expand...

Another solution would be to put companies that have had apps banned go on a 3 strikes and you are out thing, ie if Google deletes your apps 3 times your company, and/or people involved, can never use the Google app store again!!
 
Uncle Al said:
My question is more simple. Why didn't the author of this article give us a simple list of say, the top 50 so we don't have to go "sign up" to get the report .... sounds a bit like he's promoting the paid version of the report, doesn't it?
Click to expand...
I believe the site's terms explicitly prohibit that sort of thing: https://awakesecurity.com/terms/

However, if you look at the blog entry, there is a link to a text file of the malicious domains.

And that report is free - other than the cost of an e-mail address for them to send you the download link for the full report.
 
Sometimes you gotta wonder if the spyware itself, or American tech industry's delays in publicizing and handling them, weren't the work of the US government agencies behind the scenes. Its not hard to see C-level decisions being made on the "advice" of US government attorneys to delay certain actions especially with America's PATRIOT act threat of prosecution for non-cooperation.
 
  • Like
Reactions: Underdog
Oh, the Irony...It's not like I have a dozen google domains in my 'hosts' pointing to nowhere instead of getting the data google mines from my network.
 
  • Like
Reactions: loki1944
You must log in or register to reply here.

Similar threads

D
Three malicious VPN extensions on the Chrome Web Store infected 1.5 million devices before...
Replies
11
Views
383
Nestea
N
midian182
Google removes 32 malicious Chrome extensions with 75 million installs from the Web Store
Replies
9
Views
835
Daddio
Daddio
midian182
Google launches Chrome Enterprise Premium, a paid-for browser with advanced security features
Replies
7
Views
124
noXLar
noXLar

Latest posts

Back