Malware infected browser extensions stealing Chrome, Edge user data

Avast noted that the malware is quite tricky and does not execute itself if the victim is a web developer as it will be easy for them to identify its malicious activities.

Just last week it was reported that an infostealer malware is targeting popular browsers like Firefox, Chrome, Yandex, Edge browser. Now, the IT security researchers at Avast have identified several malware-infected third-party browser extensions running on Google Chrome, and Microsoft Edge browsers – These extensions are being used by around 3 million users around the world.

These extensions are developed to steal the personal data of users and redirect them to websites that are either compromised, running phishing scams, or bombarding visitors with unwanted ads.

According to Avast, most of these extensions hide behind services like video downloading for social media platforms mainly Facebook, Instagram, Vimeo, and VK, etc.

Upon installation, malicious code in the Javascript-based extensions lets attackers drop additional malware on the targeted device, says the report shared by Avast with

Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit, Avast wrote in a blog post.

Unsurprisingly, the motive behind the campaign is making money. Researchers believe that attackers are monetizing the traffic and get paid for every redirection to a third party domain.

Additionally, breaching user’s privacy to such an extent also lets attackers behind this campaign collect more information including victim’s email address, date of birth, time of signing in, last login, what operating system they are using, name of their device, what browser they are using and approximate geographical location history with the help of their IP address.

“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, Malware Researcher at Avast.

Rubin further noted that the campaign has been operating for several years without getting noticed which is probably possible because of the malware’s detection evading capabilities. For instance, it does not execute itself if the victim is a web developer as it will be easy for them to identify its malicious activities.

“The extensions’ backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover,” Rubín added.

List of malicious extensions identified by Avast:

Direct Message for Instagram
Direct Message for Instagram™
DM for Instagram
Invisible mode for Instagram Direct Message
Downloader for Instagram
Instagram Download Video & Image
App Phone for Instagram
App Phone for Instagram
Stories for Instagram
Universal Video Downloader
Universal Video Downloader
Video Downloader for FaceBook™
Video Downloader for FaceBook™
Vimeo™ Video Downloader
Vimeo™ Video Downloader
Volume Controller
Zoomer for Instagram and FaceBook
VK UnBlock. Works fast.
Odnoklassniki UnBlock. Works quickly.
Upload photo to Instagram™
Spotify Music Downloader
Stories for Instagram
Upload photo to Instagram™
Pretty Kitty, The Cat Pet
Video Downloader for YouTube
SoundCloud Music Downloader
The New York Times News
Instagram App with Direct Message DM

At the time of publishing this article, the reported extensions were still available for download. The cybersecurity giant has informed Google and Microsoft about the issue.

For now, if you have any of these extensions installed on your browser it is advised to disable and remove them. Also, refrain from using third-party apps, install reliable anti-virus software, scan your device regularly change your password on all social media accounts and email addresses. 

You may also like...