Independent research Jamila Kaya, in cooperation with Cisco-owned Duo Security, helped uncover approximately 500 Chrome extensions that were uploading private data from millions of users.
Kaya used Duo Security’s CRXcavator—an automated tool designed specifically to help assess Chrome extensions— to “uncover a large scale campaign of copycat Chrome extensions that infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store.” Initially, Kaya discovered 70 malicious extensions being used by 1.7 million users. Kaya and Duo Security notified Google, who went on to find an additional 430 similar extensions.
“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users,” wrote Kaya and Duo Security’s Jacob Rickerd. “This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”
Google quickly removed all 500 extensions, and implemented new policies to make it harder for these type of extensions to reappear. As Duo Security recommends, individuals should periodically review the extensions they’re using and delete any they don’t recognize or no longer use.