Browser Extensions Laced With Malware

More than two million Chrome and Edge users installed extensions that later turned into malware. The 18 extensions all delivered their advertised functionality but some unwanted bonus features.

Extensions (known as add-ons in Edge) are a third-party tool for web browsers that interact with the browser to bring additional features. Most have perfectly legitimate uses, for example sending the text of a long article on a web page to the user's Kindle e-reader, or blocking ads.

Because the tools have varying levels of access to a user's browser and online activity, security is a must. That's why Google has a "verified" program that checks extensions for malware before they appear in the Chrome store.

Browser Hijacked

Now Idad Dardikman of Koi Security has highlighted one extension that shows a major flaw in the system. He explored "Color Picker, Eyedropper - Geco colorpick". That lets a user point to any pixel on a web page and get the precise color details (such as the proportions of red, green and blue) so they can replicate it.

While that's a very niche task, even a tiny proportion of Google's user base adds up to a huge number of people. This extension had more than 100,000 installations, with 800 largely satisfied users writing reviews. That's largely because the app worked as promised.

However, it also had a hidden tracking feature that captured the URL of every page the user attempted to visit and sent it to the remote server.

The remote server could then send an alternate URL and redirect the browser to that address instead. That allowed for highly targeted phishing scams, for example spotting somebody visiting a banking or email website and redirecting them to a lookalike in the hope they typed in their login details for the real site.

'Verified' Extensions Compromised

Dardikman says he found 18 extensions across Chrome and Edge which appeared to be operated by the same people, with more than 2.3 million downloads in total. They all offered niche, specific functions which they delivered... as well as the malware. Several had achieved Google's verification badge.

What makes the campaign particularly concerning is that it seems the extensions were all "clean" when verified by Google. The creators waited some time, in one case for several years, before using automatic updated to add the malware. Dardikman says this is not "just another malware discovery, it's proof that the current marketplace security model is fundamentally broken."

Google has now removed all the extension from the Chrome Web Store, though existing users will need to uninstall them. The full list of affected extensions and add-ons is:

Chrome:

• Color Picker, Eyedropper - Geco colorpick
• Emoji keyboard online - copy&paste your emoji
• Free Weather Forecast
• Video Speed Controller - Video manager
• Unlock Discord - VPN Proxy to Unblock Discord Anywhere
• Dark Theme - Dark Reader for Chrome
• Volume Max - Ultimate Sound Booster
• Unblock TikTok - Seamless Access with One-Click Proxy
• Unlock YouTube VPN
• Unlock TikTok
• Weather (extension id: ihbiedpeaicgipncdnnkikeehnjiddck)

Edge:

• Flash Player - games emulator
• Header Value
• SearchGPT - ChatGPT for Search Engine
• Unlock Discord
• Unlock TikTok
• Volume Booster - Increase your sound
• Web Sound Equalizer
• Youtube Unblocked

What's Your Opinion?

Do you use extensions or add-ons? How do you check they are safe? Did you know about Google's verification badge and did you trust it to prevent malware?