Three million Google Chrome and Microsoft Edge users could be at risk of data theft and phishing after researchers discovered malware hidden in multiple browser extensions.
At least 28 third-party extensions were found to contain malicious JavaScript which could download additional malware, according to Avast. The extensions themselves are mainly designed to help users download video from some of the world’s most popular sites including Facebook, Vimeo, Instagram and YouTube.
Avast claimed the end goal for those behind the scheme could be to monetize traffic by forcing users to visit third-party sites, which they then get paid for, although users could also end up on phishing sites.
“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the Prague-based security vendor explained.
“User privacy is compromised by this procedure since a log of all clicks is being sent to these third-party intermediary websites. The actors also exfiltrate and collect the users’ birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user).”
At present it’s unclear whether the extensions were built deliberately with malware concealed within, or if malicious actors waited for them to become popular and then pushed a malware-laden update.
“It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, malware researcher at Avast.
“The extensions’ backdoors are well hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover.”
Although Avast first detected the threat in November, the vendor admitted it could have been active for years.
Interestingly, if an infected user performs a web search on one of the malicious domains, the malware in question will cease activity on their machine, in order to hide from view. Avast claimed it will do the same if it detects that the user may be a web developer, although it’s unclear how.
As the extensions are currently still available, Avast recommended users disable or uninstall them.