Malicious Chrome & Edge Extensions Installs Over 3 Million Store

Czech Internet security giant Avast found out on December 16^th that around 3 million people all over the world have been infected with malware spread through third-party browser extensions for Instagram, Facebook, and Vimeo among others.

As of now Google Chrome and Microsoft Edge appear to be the affected browser. Google and Microsoft are extensively investigating the issue, but the 28 fake extensions continue to be available on the Chrome Web-Store and Microsoft Edge Add-on portals. As of now, 15 of these malicious extensions reside on Google Chrome and 13 on Microsoft Edge.

How does the malware work?

The malware works by hijacking the URL. So every time you click on a new link, the hacker tracks your every movement. Then the hacker automatically re-directs you to a new URL of his liking instead of to the one you chose to go to.

The incentive here is purely monetary as redirecting users to ads and phishing sites would yield a steady stream of incoming considering the horde of innocent users being re-directed.

Risk of data leaks

The malwares are not limited to just generating ad revenue, as they are capable of collecting user data as well. It has been reported that these fake extensions are capable of collecting the user’s date of birth, email address, device information, first sign in time, latest login time, browser used and even the IP address. These data points once put together have the potential to reveal a user’s geographical location.

Though these fake extensions were only recently discovered, some of them have been rampant since December 2018. It is believed that the attackers wait for the extension to become popular and then introduce the malware via an update. It is also possible that the original extension developer could have sold it to someone else, and subsequently they could have introduced the malware.

List of extensions affected on Google chrome and Microsoft Edge:

1. Direct Message for Instagram
2. Direct Message for Instagram™
3. DM for Instagram
4. Invisible mode for Instagram Direct Message
5. Downloader for Instagram
6. Instagram Download Video & Image
7. App Phone for Instagram
8. App Phone for Instagram
9. Stories for Instagram
10. Universal Video Downloader
11. Universal Video Downloader
12. Video Downloader for FaceBook™
13. Video Downloader for FaceBook™
14. Vimeo™ Video Downloader
15. Vimeo™ Video Downloader
16. Volume Controller
17. Zoomer for Instagram and FaceBook
18. VK UnBlock. Works fast.
19. Odnoklassniki UnBlock. Works quickly.
20. Upload photo to Instagram™
21. Spotify Music Downloader
22. Stories for Instagram
23. Upload photo to Instagram™
24. Pretty Kitty, The Cat Pet
25. Video Downloader for YouTube
26. SoundCloud Music Downloader
27. The New York Times News
28. Instagram App with Direct Message DM

You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.