Up to 3 million devices with malware-laced Chrome and Edge add-ons

Close address bar on internet browser

As many as 3 million people have been infected with the Chrome and Edge browser extension that steals personal data and redirects users to advertising or phishing sites, a security company said Wednesday.

In total, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons presented themselves as a way to download photos, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions were still available for download from Google and Microsoft.

Avast researchers found malicious code in the JavaScript-based extensions that allow them to download malware to an infected computer. In a post, the researchers wrote:

Users have also reported that these extensions manipulate their internet experience and redirect them to other websites. Whenever a user clicks on a link, the extension will send click information to the attacker’s control server, which can optionally send a command to redirect the victim from the actual link target to a new URL. has been removed before being redirected to the website itself. to visit. User privacy is compromised by this procedure as a log of every click is sent to these third-party intermediary websites. The actors also send and collect the user’s birth dates, email addresses, and device information, including first time login, login time lastly, the name of the device, the operating system, the browser used and its version, even IP addresses (which could be used to find out the history of the user’s geographical location).

The researchers still don’t know if the extensions came with the pre-installed malicious code or if the developers were waiting for the extensions to get a critical mass of users and only then push malicious update. It is also possible that the add-ons were created by legitimate developers and then sold without the knowledge of someone who intended to use them maliciously.

A recurring problem

Over the past few years, third-party add-ons have become a widespread way to catch people with malware and adware. Last year, a researcher discovered a Chrome and Firefox extension that collected and published a browsing history of about 4 million people.

The data revealed property information from some of the biggest names in tech, including Tesla, Trend Micro, Symantec, and Blue Origin. People’s tax bills, doctor’s appointment records and other personal information were also published.

In at least one case of blocking an extension, malicious code was added to an extension after attackers gained access to legitimate developer accounts. In other cases, the extensions have been published by developers who have managed to circumvent browser processors used in an attempt to prevent malicious or malicious add-ons.

Google and Microsoft did not immediately respond to an email seeking comment and asking if the companies intended to remove the extensions reported by Avast.

The apps reported by Avast are:

  • Message directly for Instagram
  • Message directly for Instagram
  • DM for Instagram
  • Invisible Mode for Instagram Direct Messaging
  • Download for Instagram
  • Download Instagram Video & Image
  • Phone App for Instagram
  • Phone App for Instagram
  • Stories for Instagram
  • Download universal video
  • Download universal video
  • Download video for FaceBook
  • Download video for FaceBook
  • Download Vimeo video
  • Download Vimeo video
  • Administrator
  • Zoomer for Instagram and FaceBook
  • VK UnBlock. Works fast.
  • Odnoklassniki UnBlock. Works fast.
  • Upload a photo to Instagram
  • Download Spotify music
  • Stories for Instagram
  • Upload a photo to Instagram
  • Pretty kitty, the pet cat
  • Download video for YouTube
  • Download SoundCloud music
  • New York Times News
  • Instagram app with direct DM message

The list that Avast provides in his blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should immediately remove it and run a virus scan.

Source