Malicious browser extensions are still a problem in the Chrome web store, but Google has been actively working in recent years to try to make Chrome users' lives safer. The company frequently removes malicious extensions from its store and has now removed three dangerous add-ons pretending to be VPNs.
Cybersecurity researchers at ReasonLabs discovered the fake VPN extensions and said the malware was distributed via downloads of popular video games such as Grand Theft Auto, The Sims 4, Heroes 3 and Assassin's Creed. The Trojan installers were reportedly Electron applications ranging in size from 60MB to 100MB and were found in more than 1,000 different torrent files.
Once the file is downloaded to the computer, the VPN extension is automatically installed on the system without any action from the user. The installer also reportedly checks for anti-malware software on the infected device and then force-installs one of at least three fake VPN extensions. The most popular of the three extensions is netPlus, which has over 1 million users, and the other two are netSave and netWin, which have also been installed 500,000 times.
The developers of these malicious extensions go to great lengths to portray them as genuine, offering some actual VPN features as well as paid subscription tiers to make them appear genuine at first glance. However, all three extensions abuse "off-screen" permissions, allowing them to steal sensitive user data by running scripts through the off-screen API and gaining full access to the web page's current DOM (Document Object Model).
These extensions can also hijack the browser, manipulate network requests, and even automatically disable other extensions. According to the report, the malware disables the cashback extension on the infected computer and redirects profits to criminals. The malware reportedly targets more than 100 legitimate cashback extensions, including AvastSafePrice, AVGSafePrice, Honey: AutomaticCoupons & Rewards, LetyShops, Megabonus, AliRadarShoppingAssistant, Yandex.MarketAdviser, ChinaHelper, and Backlit.
After ReasonLabs contacted Google, Google removed all three extensions from the Chrome web store, but not before they infected approximately 1.5 million devices. While these extensions are history, they are unlikely to be the last pieces of malware in the Chrome web store, so people must remain vigilant about what they install on their devices.
learn more:
https://reasonlabs.com/research/the-cashback-extension-killer