Data-thieving Chrome extension

June 6, 2018
Threats

Owners of software stores (Google, Apple, Amazon, et al.) have to fight malware just as intensely as security solution vendors do. Like any circle, the process is never-ending: Cybercriminals write malware that worms its way into online stores, whereupon it gets named and shamed (not to mention deleted), the security policy is updated to avoid repeat incidents, and the cybercriminals contrive a way to sneak their creation past the new policy into the store.

malicious-chrome-extension

We always recommend installing apps from official sources only, but that doesn’t mean that such sites are malware-free, just that there’s less of it than elsewhere. And although Google Play is fairly safe, the Chrome Web Store is a different kettle of piranha. In it, our experts recently discovered a malicious extension that targets users’ bank data.

A Trojan banker in your browser

The culprit was an extension named “Desbloquear Conteúdo” (Portuguese for “Unblock contents”), which essentially carried out a man-in-the-middle attack. When the user visited their bank’s website, a malicious script redirected the traffic through a proxy server belonging to the cybercriminals, allowing them to analyze it and pick out what they wanted.

The malware also contained scripts designed to extract certain information entered by users online. For example, when a user signed visited the bank’s login web-page, the malware used a screen overlay perfectly matching the bank’s interface but replacing the login, password, and one-time confirmation code fields with its own. When the user pressed the login button, the malware copied the data for itself.

The domain on which the crooked C&C server was located used the same IP address as other domains previously exposed as malicious, which was one of the reasons the scheme caught our researchers’ attention. Once they’d confirmed their suspicions, the researchers contacted Google, and the malware was quickly removed from the Chrome Web Store.

Remember that during installation, Chrome extensions request access permissions that often give them near-limitless powers on your computer. Most malicious programs need just one permission: “Read and change all your data on the websites you visit” — which is pretty powerful.

So, handle extensions with extreme caution — they’re not necessarily benign, although they’re so easy to install, it’s easy to assume they can’t be powerful or do any harm.

Why you should be careful with browser extensions

Protecting against malicious browser extensions

Here are some tips that will help fend off malware masquerading as a handy browser extension:

  • Install only extensions that you trust completely. There is no one perfect test for trust, unfortunately, but at least stick to extensions supplied by reputable developers.
  • Don’t add extra extensions if you have no real need for them.
  • If an extension is no longer necessary, remove it. You can always install it again if need be.
  • Use a tried-and-tested security solution such as Kaspersky Internet Security. All new Chrome extensions are automatically sent to us for analysis, so even in the very latest extensions, malware has no place to hide.