Malicious Chrome Extension With Over 75 Million Downloads Install Malware

Google has removed 32 malicious extensions from the Chrome Web Store that could have changed search results and pushed spam or unwanted adverts. They have received 75 million downloads altogether. 

The PDF Toolbox extension, which has had 2 million downloads from the Chrome Web Store, was examined by cybersecurity expert Wladimir Palant, who discovered that it contained code disguised as an extension API wrapper.

Reports say to protect users from the harmful behavior that was concealed in obfuscated code to deliver the payloads, the extensions included legal functionality.

Malicious Extensions In Chrome Web Store

The researcher describes how the code allowed the “serasearchtop[.]com” domain to insert arbitrary JavaScript code into any page the user visited in a report published earlier.

The possibility of abuse includes everything from stealing sensitive information to adding advertisements to web pages.

Additionally, the code was designed to activate 24 hours after the extension was installed, which is a behavior that is frequently indicative of malicious intent, as the researcher discovered.

Palant wrote a follow-up post on the incident a few days ago to warn that he had found the same doubtful code in 18 additional Chrome extensions with an overall download count of 55 million.

“The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively,” the researcher reports.

The most often used harmful extensions

Palant discovered two versions of the code, one pretending to be the Day.js library and the other to be Mozilla’s WebExtension browser API Polyfill.

The same arbitrary JS code injection technique via serasearchtop[.]com was present in both versions.

Many user’s reports and reviews on the Web Store claim that the extensions were doing redirections and search result hijacking, despite the researcher not seeing any obvious malicious behavior.

Security firm Avast claimed that after confirming the extensions’ dangerous nature, it reported them to Google and increased the list to 32 items. These boasted 75 million installs together.

While the extensions could seem harmless to unwary users, according to Avast, they are adware that manipulates search results to show sponsored links and paid results, occasionally even presenting harmful links.

Although the 75 million downloads appear to be a problem, the company believes the number was “artificially inflated.”

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.