Over five hundred Chrome extensions that cumulate millions of downloads on Google’s Chrome Web Store maliciously uploaded private browsing data to attacker-controlled servers, new research shows.
These extensions were part of a long-running ad-fraud and fake advertising network.
Independent researcher Jamila Kaya discovered the whole charade. She and researchers from Duo Security managed to detect 71 Chrome Web Store extensions that recorded over 1.7 million installations.
Kaya said that the creators of the Chrome extensions made them tamper with the underlying advertising functionality from users.
This was done to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users’ knowledge, expose the user to the risk of exploitation through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms,” Kaya stated.
The researchers reported their findings to Google, which, in turn, analyzed multiple extensions and found more than 430 additional extensions that had the same problem. Thankfully, Google decided to remove the malicious extensions.
The extensions were marketed as tools that provide various promotion and advertising-as-a service utilities.
They provoked ad fraud and malvertising by shuffling contaminated browsers through a roster of shady domains.
Each plugin first connected to a domain that shared a similar name with the extension and then redirected browsers to one of many hard-coded control servers that provided additional instructions, locations to upload data, advertisement feed lists, and even more domains for ulterior redirects.
From that point, infected browsers began uploading private user data, updated plugin configurations, and then joined a stream of site redirections.