Skip to main content

Anti-virus and trusted accounts not enough to avoid Chrome extension malware

Chrome Extension
GoogleWebStore/Ars
A piece of banking malware discovered hiding behind a Chrome extension on Google’s Chrome Web Store for the second time in almost as many weeks, is just the latest to slip through in recent months. A number of nefarious applications have been infecting systems all over the world using the download platform, and many have been able to evade the most commonly used anti-malware solutions.

While of course, some anti-virus solutions are better than others, sometimes a piece of malware is so sophisticated it’s able to avoid detection by them all. This latest infectious trojan was discovered on the Chrome Web Store, and it masquerades as the “Interface Online” extension. It avoided detection by the 58 most common anti-viral applications.

Recommended Videos

Indeed it was so difficult to detect that even though it was removed just over two weeks ago from the Chrome Web Store, it was re-uploaded and made available again very recently, prompting the need for another user-report to bring it down. Discovered twice by the chief research officer at Morphus Labs, Renato Marinho (thanks Ars), the extension received upwards of 50 downloads during its tenure on the extension download platform.

The malware, in this case, was a data gathering one, designed to allow further exploitation of the victims. After securing form login information from the user, the malware transfers that data to a server controlled by the attackers, who can then use it to profile their victim. They then use that information to go after those who have financial control over the company they work for.

In targeted attacks, they call them up and use a combination of social engineering and phishing to have them give the attacker further access to financial information, which can result in banking theft.

As Ars points out, as problematic as this was, it’s just a symptom of a common problem affecting the extension store. Several Chrome extensions hosted on the Web Store have been discovered over the past year to contain malicious code, in some cases following the hijacking of legitimate developer accounts, making it very hard to know which extensions you can trust.

Although downloading any software from vetted sources is a great way to avoid being hit with malware, when the nefarious authors behind the malware are able to have it hosted on services like the Chrome Web Store, it makes it very hard to avoid them. That goes doubly so for the malware that is ultimately distributed under trusted developer accounts which have been compromised.

Marinho recommends that Google enable two-factor authentication for accounts on its Web Store to limit this problem, and encourage developer practices that limit extensions’ access to passwords and other credentials.

Jon Martindale
Jon Martindale is a freelance evergreen writer and occasional section coordinator, covering how to guides, best-of lists, and…
This Chrome extension lets hackers remotely seize your PC
A depiction of a hacker breaking into a system via the use of code.

Malicious extensions on Google Chrome are being used by hackers remotely in an effort to steal sensitive information.

As reported by Bleeping Computer, a new Chrome browser botnet titled 'Cloud9' is also capable of logging keystrokes, as well as distributing ads and malicious code.

Read more
Chrome extensions with 1.4M users may have stolen your data
Google Chrome icon in mac dock.

McAfee researchers have discovered various Google Chrome extensions that steal browsing activity, with the add-ons racking up more than a million downloads.

As reported by Bleeping Computer, threat analysts at the digital security company have come across a total of five such malicious extensions.

Read more
Google Chrome extensions are failing, and $8,000 is on the table for a fix
A mouse pointer hovering over the CrankWheel Chrome Eextension.

There seems to be some mysterious problem affecting certain Chrome extensions, but it's intermittent enough that it hasn't yet been solved. The problem is annoying enough that one developer has posted two $4,000 bug bounties and created an Upwork job listing that pays up to $150 per hour. These incentives might inspire others to help track down and fix the bug.

First spotted by TechRadar and described in detail in a blog post written by Jói Sigurdsson, founder and CEO of the CrankWheel screen-sharing extension for the Google Chrome browser, the bug is related to a failure to trigger an action when the extension's icon is clicked on the toolbar. Since this is frequently how an extension is used, it's a crippling error. Unfortunately, the problem is difficult to recreate and is estimated to impact only 3% to 5% of those that have affected extensions installed.

Read more