Approximately 3 million users of Google Chrome and Microsoft Edge have been infected with malware that has been hidden in browser extensions, according to a new report from antivirus company Avast. At least 28 JavaScript-based Chrome and Edge extensions for Instagram, Facebook, Vimeo and others have had malicious code added, which is used to steal personal data and redirect users to adverts and phishing websites. The malicious code also allows the attackers to download additional malware onto users’ devices.
It is currently unclear for how long the malicious code has been present in the extensions. Avast first started monitoring the threat in November 2020, but says it is possible that the malicious code has been present in the extensions for far longer. Some users on the Google Chrome Web Store have submitted comments about some of the extensions and have reported that they have redirected them to malicious websites. Some of those comments date back to December 2018.
The malicious code steals personal data including email addresses, dates of birth, and device information such as device name, operating system, first time sign-in, last log-in time, browser type and version, and IP address. When a user clicks a link, the malicious extensions relay that information to the command and control server and the user will either be permitted to visit the genuine site or will be redirected to a webpage of the attacker’s choosing, and will later be redirected to the webpage they originally tried to view.
The aim of the attackers appears to be to monetize traffic and it is likely that they will receive payment for each user they redirect to a particular website. They could also be paid for distributing malware or directing users to phishing websites.
“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware,” said Jan Rubin, malware researcher at Avast. “It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards.”
The extensions known to include the malicious code are:
- App Phone for Instagram
- App Phone for Instagram
- Direct Message for Instagram
- Direct Message for Instagram™
- DM for Instagram
- Downloader for Instagram
- Instagram App with Direct Message DM
- Instagram Download Video & Image
- Invisible mode for Instagram Direct Message
- Odnoklassniki UnBlock. Works quickly.
- Pretty Kitty, The Cat Pet
- SoundCloud Music Downloader
- Spotify Music Downloader
- Stories for Instagram
- Stories for Instagram
- The New York Times News
- Universal Video Downloader
- Universal Video Downloader
- Upload photo to Instagram™
- Upload photo to Instagram™
- Video Downloader for FaceBook™
- Video Downloader for FaceBook™
- Video Downloader for YouTube
- Vimeo™ Video Downloader
- Vimeo™ Video Downloader
- VK UnBlock. Works fast.
- Volume Controller
- Zoomer for Instagram and FaceBook