WIRED: Look Out! Chrome Extension Malware Has Evolved
Posted on January 31st, 2018
Google has cracked down on Chrome extension malware—but the bad guys are finding ways to stay ahead of their defenses.
Lily Hay Newman, January 30, 2018
You already know to be wary of third-party Android apps, and even to watch your back in the Google Play Store. A flashlight app with only 12 reviews might be hiding some malware as well. But your hyper-vigilant download habits should extend beyond your smartphone. You need to keep an eye on your desktop Chrome extensions as well.
These handy little applets give you seamless access to services like Evernote or password managers, or put your Bitmoji just a click away. As with Android apps, though, Chrome extensions can sometimes hide malware or other scourges, even when you install them from the official Chrome Web Store. Google says that malicious extension installs have decreased by roughly 70 percent over the last two and a half years, but a steady stream of recent research findings show that the problem, and risk to users, is far from resolved.
"What we’re seeing is an increase in criminal use of extensions," says William Peteroy, CEO of the security firm Icebrg. "And when we start to see criminal pickup on things it absolutely meets our bar that this is something we need to pay attention to, and something users need to start paying a lot more attention to than they are right now."
Other browsers suffer a similar onslaught, but with almost 60 percent market share, attacks on Chrome users will generally affect the largest number of people, making it a prime target for criminal hackers. Icebrg recently highlighted four malicious extensions in the Chrome Web Store that had more than 500,000 downloads combined. The extensions masqueraded as standard utilities, with names like "Stickies" and "Lite Bookmarks." The researchers saw indications, though, that they were actually part of click-fraud scams to boost revenue for attackers. And the extensions requested enough privileges that they could have snooped even more, accessing things like user data, and tracking their behavior. Google removed the four extensions after Icebrg disclosed them privately.
"Since the creation of the extensions platform, we’ve worked hard to keep the extensions ecosystem free from malware and abuse," says James Wagner, a Chrome product manager at Google. "We're using machine learning to detect malicious behavior in extensions, and … we’ve been particularly focused on cracking down on abusive distribution methods." In particular, the Chrome team has been working to detect and block situations where websites push users to get an extension, sometimes trapping them in layers of installation pop-ups that try to trick people into installing.
In spite of these efforts, though, malicious extension campaigns pop up regularly. Part of the problem: Chrome is already a trusted application. When users give it permission to run certain code, like an extension, their operating system and most antivirus products usually give it a free pass. And the more systems and services move into the browser—like Microsoft 365 and Google’s G Suite—the more valuable data and network access a malicious Chrome extension could potentially get.
In addition to distributing malicious apps through mechanisms like phishing and compromised sites, attackers have also refined techniques to smuggle their extensions into the Chrome Web Store, and then modify them remotely once downloaded to add or activate nasty features.
In October, Google removed three extensions impersonating AdBlock Plus, one of which had almost 40,000 downloads. That same month, researchers at Morphus Labs discovered an extension, dubbed "Catch-All," that launched from a phishing attempt targeting WhatsApp users, mimicked an Adobe Acrobat installer, and then captured all the data users entered while browsing in Chrome once installed, including usernames and passwords.
In December, researchers at the internet security firm Zscaler found an extension that lifted login credentials, cookies, and financial data from users who visited and logged into Banco do Brasil websites and accounts. And this month, the software security company Malwarebytes published findings about an extension (built for both Chrome and Firefox) called "Tiempo en colombia en vivo" that forced itself to install when users visited compromised web pages and then was deviously difficult to uninstall. Malwarebytes researcher Pieter Arntz said that he couldn’t even completely analyze what the extension’s operations and goals were, because it was coded with extensive obfuscation.
When hackers put effort into masking the true intent of software, it generally indicates that an arms race is ramping up. Obfuscation and runtime changes are the same techniques attackers use to sneak malicious mobile apps into the Google Play Store and Apple’s App Store.
"I think the exposure is huge," says Jake Williams, a penetration tester and malware analyst who founded Rendition Infosec. "It's trivial for an attacker to get their extension published and then change the behavior dynamically after it's published."
The Icebrg researchers who found four malicious extensions downloaded half a million times say that they found the scale of infections worrying. And though Chrome’s improved defenses have clearly worked well enough to motivate new innovations from attackers, this next generation of malicious extensions may prove challenging to contain.
'It's trivial for an attacker to get their extension published and then change the behavior dynamically after it's published.'
Jake Williams, Rendition Infosec
"What we saw in our research was that this was undetected and active across a large swath of enterprises," Icebrg’s Peteroy says. "They’re successful in bypassing Google’s efforts to create security around extensions. And because extensions run at the application layer, running in the browser, it completely bypasses a lot of protections."
The crucial thing you can do to protect yourself from malicious Chrome extensions is to choose what you download carefully and only use extensions from trusted sources, whether you're in the Chrome Web Store or getting an extension from a specific developer. It’s also important to check what permissions each extension asks for when you install it, to make sure there’s nothing strange in the list, like a calculator tool that wants access to your webcam. And regularly review the list of Chrome extensions you have installed by going to "Window" and then "Extensions," so you can catch anything you don’t want and use that has snuck in.
Google says that more people are using Chrome extensions than ever, which makes sense, because they're convenient and useful. But don't go nuts downloading every weather tracker and emoji generator out there. There's a lot more at stake than you might think.