The guys who are in charge web browser development Chrome have been working on maintaining a "healthy" environment within the browser add-on store and since the integration of the new Google Manifest V3, various security changes have been implemented and especially the controversies generated by the blocking of APIs used by many add-ons to block advertising.
All this work have been summarized in different results, which the blocking of a number of malicious add-ons was disclosed that were found in the Chrome Store.
In the first stage, the independent investigator Jamila Kaya and the company Duo Security identified a variety of Chomre extensions that initially operate in a "legitimate" manner, but in a deeper analysis of the code of these, operations that were running in the background were detected, of which many of them extracted user data.
Cisco Duo Security released CRXcavator, our automated Chrome extensions security assessment tool, for free last year to reduce the risk that Chrome extensions will present to organizations and allow others to develop our research to create an ecosystem safer Chrome extensions for everyone.
After reporting the problem to Google, more than 430 add-ons were found in the catalog, whose number of installations was not reported.
It is noteworthy that despite the impressive number of facilities, none of the problematic plugins have user reviews, leading to questions about how the plugins were installed and how the malicious activity went unnoticed.
Today, all the problematic plugins are removed from the Chrome Web Store. According to the researchers, malicious activity related to blocked plugins has been going on since January 2019, but the individual domains that were used to perform malicious actions were recorded in 2017.
Jamila Kaya used CRXcavator to uncover a large-scale campaign of copycat Chrome extensions that infected users and extracted data through malvertising while trying to evade Google Chrome fraud detection. Duo, Jamila, and Google worked together to ensure that these extensions, and others like them, were found and removed immediately.
Most malicious add-ons were presented as tools to promote products and participate in advertising services (the user sees ads and receives deductions). Also, the technique of redirecting to advertised sites was used when opening pages that were displayed in a string before displaying the requested site.
All plugins used the same technique to hide malicious activity and bypass the plug-in verification mechanisms in the Chrome Web Store.
The code for all plugins was nearly identical at the source level, with the exception of the function names that were unique to each plugin. The malicious logic was transmitted from centralized management servers.
Initially, the plugin connected to a domain that has the same name as the plugin name (for example Mapstrek.com), after which It was redirected to one of the management servers that provided the script for additional actions.
Among the actions carried out through plugins find the download of confidential user data to an external server, forwarding to malicious sites and approving the installation of malicious applications (For example, a message about computer infection is displayed and malware is offered under the guise of an antivirus or a browser update).
The redirected domains include various phishing domains and sites to exploit outdated browsers that contain uncorrected vulnerabilities (for example, after exploit attempts were made to install malicious programs that intercept passwords and analyze the transfer of confidential data via the clipboard).
If you want to know more about the note, you can consult the original publication In the following link.