As it has done many times over the past year with unwanted Android applications on its Play store, Google has removed 89 browser extensions from its official Chrome web store after a security vendor identified them as being malicious.
Google has also disabled the rogue extensions from running on the devices of over 420,000 Chrome users whose browsers were infected with the malware.
In a blog Feb. 1 security vendor Trend Micro said it discovered the browser extensions—which it has collectively dubbed Droidclub—being used to inject ads and crypto-currency mining tools into websites that the victims visited.
The malicious browser extensions also contained keylogging code to record all the actions that a user might take on different websites including all their keystrokes, mouse clicks and scrolling actions.
The code gave attackers a way to steal data that a user might enter into a web form including credit and debit cards numbers, CVV codes, phone numbers and email address, Trend Micro fraud researcher Joseph Chen wrote in the blog.
The attackers used a combination of malicious advertisements and social engineering to distribute the Droidclub extensions on end user browsers. The malicious ads typically displayed false error messages that attempted to get users to install the rogue extensions on the browsers. When users acted on the fake download prompts, the rogue extension would download to their browsers from the Chrome store.
Once installed the extension would communicate with an attacker-controlled command and control server for further instructions. The rogue extensions were designed to periodically serve up what Chen described as low-quality ads such as those associated with pornographic websites.
Trend Micro’s disclosure marks the third time in under a month that security researchers have found malicious browser extensions in Google’s Chrome store. In January, security vendor ICEBRG reported finding four malicious Chrome extensions in the store that had been downloaded over 500,000 times. Malwarebytes was another cyber-security company to report a similar discovery in January, though in its case the company also reported finding a rogue extension for Firefox as well.
Like the latest Droidclub extensions that Trend Micro reported this week, the malicious Chrome extension that Malwarebytes discovered was also designed to be very hard to remove. In both instances, users attempting to remove the browser extensions by visiting Chrome’s extension management page were redirected instead to another page.
For Google, the proliferation of rogue browser extensions on its Chrome web store represents a problem that is similar to the one the company faces with its Play Android mobile app store.
Over the past year in particular, threat actors have been able to frequently bypass Google’s security mechanisms and upload Android applications containing malware to Google Play. The company has been forced to remove hundreds of applications from Play after security vendors reported finding malware-laden apps in it.