Discovered over 30 malicious extensions in the Chrome Web Store

Recently, security experts identified more than 30 malicious extensions that had infiltrated the Chrome Web Store, possibly infecting millions of users. The discovery was initially made by security researcher Wladimir Palant, who three weeks ago realized that the PDF Toolbox extension for Chrome contained obfuscated code. This code allowed a third-party website to inject JavaScript code into all websites the user visited.

Enlargement of investigation and discovery of more malicious extensions

Palant's discovery was amplified when another extension was reported to be sending requests to the same third-party website, specifically serasearchtop[.]com. Following this discovery, the researcher located two other versions of the code and a total of 34 extensions that contained it in the Chrome web store. These included a version that connected to tryimv3srvsts.com.

The impact of malicious extensions on the Chrome userbase

Overall, the identified extensions showed an install base of approximately 87 million users. The most popular of these were Autoskip for Youtube (9 million users), Soundboost (7 million), Crystal Ad block (6 million) and Brisk VPN (5 million). Most of the identified extensions each had more than a million downloads, although it is possible that these numbers were artificially inflated. Cybersecurity firm Avast, which identified 32 malicious extensions with a combined total of 75 million installations, found that the number of reviews of these extensions in the Chrome web store was suspiciously low compared to the number of installations.

Removing malicious extensions and next steps

Avast also found a discrepancy between the number of people who encountered the threat and the number of installations from the Chrome Web Store. What is concerning is the large number of extensions that have been found to contain the obfuscated code. Avast found that in addition to the 32 extensions it identified, another 50 were removed from the Chrome web store for the same reason. The malicious code appears to have been used to display unwanted ads and hijack search results to show sponsored links. However, security experts have yet to analyze the full extent of the attack. Google has removed all malicious extensions from the Chrome web store.