A piece of banking malware discovered hiding behind a Chrome extension on Google’s Chrome Web Store for the second time in almost as many weeks, is just the latest to slip through in recent months. A number of nefarious applications have been infecting systems all over the world using the download platform, and many have been able to evade the most commonly used anti-malware solutions.
While of course, some anti-virus solutions are better than others, sometimes a piece of malware is so sophisticated it’s able to avoid detection by them all. This latest infectious trojan was discovered on the Chrome Web Store, and it masquerades as the “Interface Online” extension. It avoided detection by the 58 most common anti-viral applications.
Indeed it was so difficult to detect that even though it was removed just over two weeks ago from the Chrome Web Store, it was re-uploaded and made available again very recently, prompting the need for another user-report to bring it down. Discovered twice by the chief research officer at Morphus Labs, Renato Marinho (thanks Ars), the extension received upwards of 50 downloads during its tenure on the extension download platform.
The malware, in this case, was a data gathering one, designed to allow further exploitation of the victims. After securing form login information from the user, the malware transfers that data to a server controlled by the attackers, who can then use it to profile their victim. They then use that information to go after those who have financial control over the company they work for.
In targeted attacks, they call them up and use a combination of social engineering and phishing to have them give the attacker further access to financial information, which can result in banking theft.
As Ars points out, as problematic as this was, it’s just a symptom of a common problem affecting the extension store. Several Chrome extensions hosted on the Web Store have been discovered over the past year to contain malicious code, in some cases following the hijacking of legitimate developer accounts, making it very hard to know which extensions you can trust.
Although downloading any software from vetted sources is a great way to avoid being hit with malware, when the nefarious authors behind the malware are able to have it hosted on services like the Chrome Web Store, it makes it very hard to avoid them. That goes doubly so for the malware that is ultimately distributed under trusted developer accounts which have been compromised.
Marinho recommends that Google enable two-factor authentication for accounts on its Web Store to limit this problem, and encourage developer practices that limit extensions’ access to passwords and other credentials.