Massive spying on 32 million Google Chrome users: Google removes 70 malicious browser Extensions from Chrome Web Store
Using an add-on or extension to spy on Google Chrome browser users is an old trick. But what can any Chrome user do if that extension/add-on happens to have passed the Google’s proprietary vetting and has been marked safe for download? This happened with not one but 70 different Chrome extensions/add-ons available on Google’s Chrome Web Store that was vetted and marked safe for download by Google for Chrome users.
These malicious 70 extensions had a cumulative download of 32 million users which means that whoever made those extensions could spy on 32 million Google Chrome users legit and through Google channel. This massive spy ring was detected by researchers at Awake Security who informed Google about the 70 different malicious Chrome add-ons/extensions. Google immediately acted on Awake Security’s warning and removed the culprit extensions from the Chrome Web Store.
Most of these 70 free extensions offered Chrome users instant services like a warning about malware, converting JPG to PDF, converting PDF to MS Word, or Changing their location. But unknown to the Chrome user, they spied on them, siphoned and exfiltrated their entire browser history and email/banking credentials to a distant command and control server which has not been identified.
Awake security says that the malicious extensions were mostly used to spy on home computer users. Awake researchers were not able to find either who made these malicious extensions or where their command and control servers were located. Awake said the developers supplied fake contact information when they submitted the extensions to Google.
But what happens to the Google Chrome users who have already downloaded one of the 70 extensions?
This is by far one of the most extensive spying rings that has been uncovered on Google Chrome. Awake researchers found that if users who had downloaded one of these extensions used Chrome to surf the web on a home computer, it would connect to a series of websites and transmit information. However, when the Chrome user used his office or corporate network, the extension would stop working. It seems the extension authors had written the code so that it would not transmit sensitive information when connected from an office or corporate network.
Researchers say this was because the malicious extension authors wanted to avoid any detection by any anti-virus or firewall technology used in corporate networks. Most corporate networks have elaborate checks and firewalls in place to disallow unknown or suspicious websites being accessed by employees.
The researchers found that the extensions would send information to a remote domain. Most of the domains were found to be owned by a and Israeli firm Galcomm which was formally named CommuniGal Communication Ltd. However, Galcomm has denied any involvement in the extensions and has agreed to cooperate with the law enforcement agencies.
If you have many extensions, remove the ones that offer free services like malware warning extensions or convertors and locations spoofing ones. Remember, these extensions can be dangerous and could steal your email records, banking information without your knowledge.