Thu. Dec 3rd, 2020

Google Chrome extension downloaded spyware, security firm reveals

5 min read

Millions of Google Chrome users are targeted in a spyware attack that used web browser extensions to steal browsing history and login details

  • Free Google Chrome extensions downloaded spyware to millions of computers
  • The dodgy extensions claimed to warn web users about ‘questionable websites’ 
  • Once downloaded they sent browsing history and personal info to third parties
  • It’s been described the most far-reaching malicious Chrome store campaign yet

Security researchers have discovered malware that compromised users through downloads of extensions to Google’s Chrome web browser. 

The ‘spyware’– software that steals information from a computer and sends it to a third party – attacked users through 32 million downloads of Chrome extensions. 

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. 

Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools, researchers at Awake Security told Reuters. 

The security experts have called it the ‘most most far-reaching malicious Chrome store campaign’ ever, and yet it had been overlooked by Google.  

Millions of Google Chrome users have been targeted in the spyware attack. Spyware steals information from a computer and sends it to a third party, without the person’s knowledge

Google, which is owned by Alphabet Inc, said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.

‘When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,’ Google spokesman Scott Westover told Reuters.

Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the extensions on its own.

Google, which dominates the web browser market with more than a 60 per cent share, according to Stat Counter, claims to have a zero-tolerance approach to malware and malicious ads. 

‘We don’t allow advertisers to run ads, content or destinations that attempt to trick or circumvent our ad review processes,’ it says on its website. 

‘Google checks websites to see whether they host software or downloadable executables that negatively affect the user experience.’ 

Spyware is unwanted software that infiltrates your computing device, stealing your internet usage data and sensitive information. Spyware is classified as a type of malware – malicious software designed to gain access to or damage your computer, often without your knowledge 

Based on the number of downloads, this new form of Chrome spyware was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb. 


Malware is a catch-all term for any type of malicious software, regardless of how it works, its intent, or how it’s distributed.

The term includes adware, spyware, viruses, trojans and more. 

Spyware is a specific type of malware that steals information from a computer and sends it to a third party, without the person’s knowledge. 

Spyware gathers your personal information and relays it to advertisers, data firms, or external users.

Source: Norton Security 

It is unclear who was behind the effort to distribute the malware, but Awake said the developers supplied fake contact information when they submitted the extensions to Google.  

The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains, Golomb said.

If someone used Chrome to surf the web on a home computer, it would connect to a series of websites and transmit information, the researchers found. 

Anyone using a corporate network, which would include security services, would not transmit the sensitive information or even reach the malicious versions of the websites.

‘This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,’ Golomb said.

All of the domains in question – more than 15,000 linked to each other in total – were purchased from a small registrar in Israel, Galcomm.

Awake said Galcomm should have known what was happening, but in an email to Reuters, Galcomm owner Moshe Fogel said his company had done nothing wrong.

‘Galcomm is not involved, and not in complicity with any malicious activity whatsoever,’ Fogel wrote. 

‘You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.’

Fogel said there was no record of the inquiries that Awake co-founder Golomb said he made in April and again in May to the company’s email address for reporting abusive behaviour. 

The Internet Corp for Assigned Names and Numbers, which oversees registrars, said it had received few complaints about Galcomm over the years, and none about malware.

Awake, the security firm that discovered the breach, said it was the most far-reaching malicious Chrome store campaign to date

Malicious developers have been using Google´s Chrome Store as a conduit for a long time, due to its popularity. 

They initially spewed unwanted advertisements, and now are more likely to install additional malicious programs, or track where users are and what they are doing for government or commercial spies.

‘Anything that gets you into somebody’s browser or email or other sensitive areas would be a target for national espionage as well as organised crime,’ said former National Security Agency engineer Ben Johnson, who founded security companies Carbon Black and Obsidian Security. 

As a result, Google had set new rules last year for extension developers to follow, or otherwise face the possibility of having their extension removed from the Chrome store. 

In 2018, Google banned the installation of Chrome extensions through third-party sites,thereby limiting the installation process to Chrome Web Store.  

After one in 10 submissions was deemed malicious, Google said in 2018 it would improve security, in part by increasing human review.

But this February, independent researcher Jamila Kaya and Cisco Systems’ Duo Security uncovered a similar Chrome campaign that stole data from about 1.7 million users. 

Google joined the investigation and found 500 fraudulent extensions.

‘We do regular sweeps to find extensions using similar techniques, code and behaviours,’ Google’s chief scientist Gary Golomb said at the time. 


Because hackers are becoming more creative, security experts are warning that consumers need to take all possible measures to protect their identities (file photo)

Source: Read Full Article