- Avast has said multiple browser extensions are infected with malware.
- Google Chrome and Microsoft Edge extensions can redirect users to phishing websites.
- These phishing websites can steal user data and monetise traffic.
If you use Google Chrome or Microsoft Edge browsers, there are chances you have browser extensions installed to help you with some nifty things such as downloading a Facebook video or DM-ing someone on Instagram. These extensions, as many as 28, have now been identified as infected with malware that redirects users to unsafe websites and steals personal data such as email addresses, contact numbers, and even bank card information. Security firm Avast has noted in its report that around three million people may have been impacted by these malicious extensions.
Extensions are usually installed to carry out some uneasy tasks. For example, downloading a YouTube or Facebook video or accessing a mobile app on a browser. Avast has listed several such extensions that are allegedly infected with malware, including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, and VK Unblock. Users do not pay much attention before downloading these extensions, which are a haven for injecting harmful codes that can download malware to the device.
"The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)," said Avast in a press statement.
According to the security firm, the basic purpose behind this activity is to monetise traffic from different users. Each redirection activity to a third-party domain makes cyber criminals receive a payment. The activity of redirecting users also benefits the phishing websites because these can collect user information without their consent and use that information in unimaginable ways.
"Our hypothesis is that either the extensions were deliberately created with the malware built-in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards," said Jan Rubín, Malware Researcher at Avast.
These browser extensions, available on both Google Chrome and Microsoft Edge browser, started being monitored in November this year but Avast researchers believe the threats in them may have been active for years without anyone noticing them. The researchers have cited reviews some users left on the listings of these extensions on Google Chrome Web Store that mention link hijacking activities as far back as December 2018. The reason why that could have happened is, Rubín says, the ability of these extensions to hide backdoors. These extensions "only start to exhibit malicious behaviour days after installation, which made it hard for any security software to discover."
All of the browser extensions mentioned by Avast in the report are still available to download on both Google Chrome and Microsoft Edge browsers. Avast has said it has contacted both Google and Microsoft to report the threat, to which both the companies have said they are "currently looking into the issue." Until these extensions are removed from both browser stores, Avast advises users to disable or uninstall these extensions and perform a virus scan on their systems.