Be careful of these 4 malicious Google Chrome extensions

Earlier this month we reported that a popular Google Chrome extension called Archive Poster was reportedly misbehaving and had turned into an in-browser cryptocurrency miner. In a new development, security researchers have now detected four more malicious extensions on the Google Chrome browser. While the extensions have been taken down, they attracted some half-a-million active users.

The extensions have been identified by analytics firm ICEBRG as Change HTTP Request Header, Lite Bookmark, Stickies, and Nyoogle. ICEBRG said the four were likely employed for a click-fraud scam operation with the clear purpose of generating revenues.

ICEBRG ha notified Google and other stakeholders on the matter. As such, extensions like Change HTTP Request Header, Lite Bookmark, and Stickies have been removed from the Chrome Web Store. Nyoogle is still available to download, but Google has yet to issue a statement on the matter.

If you take the worldwide statics, Google Chrome basically is the most popular global web browser in terms of usage. As a result, the browser is a default favorite for cyber attacks. While the browser is known for its vaunted security features, mainly for its security sandbox and quick deployment of vulnerability patches, cybercriminals seem to always find an ingenious workaround to crack the protective shell put up by Google.

It appears that these criminals are tapping loopholes that exist on the Chrome Web Store to penetrate Google’s security protocols implemented on its web browser. The attackers’ latest weapon, it turned out, is a loaded browser extension.

According to ICEBRG making use of such tactic is quite effective, as malware authors take advantage of the system, which seemingly enjoys robust security, that governs the use of browser extensions found on the Chrome Web Store.

“In this case, the inherent trust of third-party Google extensions, and accepted risk of user control over these extensions allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks,” the security firm said in its comprehensive report.

Google tango, the augmented technology AR – GIZBOT

Meanwhile, the security firm has warned that the threat implications are high and true for both the average consumers and enterprise users. According to the report, the extensions managed to expose the system of some 500,000 Chrome users.

However, the security firm has also offered a brief description of how the weaponized extension works out. “By design, Chrome’s JavaScript engine evaluates (executes) JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP),” ICEBRG said.

“When an extension does enable the ‘unsafe-eval’ permission to perform such actions, it may retrieve and process JSON from an externally-controlled server. This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request.”

With this incident, Google Chrome users should basically keep a safe distance from browser extensions, specifically those coming from third-party providers.