Researchers at Awake Security have discovered a far-reaching malicious add-on on Google’s Chrome web browser.
The spyware, according to the research company, comes as free extensions to the Chrome web browser and has had over 32 million downloads.
Most of these free extensions, they said, claims to convert files from one format to the other, or to warn users about questionable websites, but ends up siphoning users’ browsing history and data that provide credentials for access to internal business tools.
This spyware could pose a huge risk to internet users, both individuals, and corporate organisations. Speaking to Reuters, former National Security Agency engineer Ben Johnson said “anything that gets you into somebody’s browser or email or other sensitive areas would be a target for national espionage as well as organized crime”.
Johnson, who is also founder of security companies Carbon Black and Obsidian Security, notes that this shows a security weakness, although it is still unclear who could be behind the efforts to distribute the malware.
According to Awake co-founder and chief scientist Gary Golomb, the number of downloads shows that this might be the most far-reaching malicious Chrome store campaign to date.
He added that the extensions appeared to be designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains.
Alphabet Inc’s Google said it has removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.
Westover, however, declined to discuss the extent of damage caused by this latest spyware, how it compares with previous spywares, or why it did not detect the bad extensions on its own despite having a team dedicated to that purpose.
The problem of deceptive extensions has lingered for years, starting out as unwanted advertisements which stole users data once they clicked on it; before progressing to malicious programs which when installed, track users and what they do on their systems.
Just in February 2020, independent researcher Jamila Kaya and Cisco Systems’ Duo Security uncovered a similar malware that stole data from about 1.7 million users. Google joined the investigation and found 500 fraudulent extensions.
Google has always promised to improve security through regular sweeps.