In short: A security researcher recently highlighted about three dozen Chrome web store extensions showing suspicious behavior. Many people present themselves as a search assistant, while other advertisements pose as blockers, safety equipment, or extension scanners – all mysterious are mysteriously attached to a single, unused domain.
John Tucker, the founder of the browser security firm Secure Annex, discovered suspected extensions, assisting a customer, which had installed one or more for safety monitoring. First Red Flag: Two of the 132 extensions analyzed by him were unrestades, meaning that they do not appear in web discovers or chrome web stores. Users can only download these devices through a direct URL. The unrestaded extensions are not that uncommon. Businesses sometimes use them to limit public access to internal devices.
However, malicious actors often use unrestaded extensions to exploit users, hide them and make it difficult for Google to find out. After Tucker started analyzing two suspected extensions, he revealed 33 more. Many connect to the same server, use identical code patterns, and request equal permissions.
Apps asks users to consent to access sensitive data, including browser tabs and windows, cookies, storage, scripting, alarm and management APIs. This level of access is unusually high, making it easier for bad actors to take advantage of the user’s system for various malicious purposes.
Tucker wrote in his blog on Thursday, “At this point, this information should be sufficient for any organization to kick it properly from its environment as it offers unnecessary risks.” He said, “Either of the 35 apps require only permission management,” he added ARS Technica to an email.
In addition to the suspected number of requests of these apps, their programming is equally related. Tucker found that the app had heavy code. A developer will only program his software in such a way to check and understand its tasks for others.
Collectively, users have installed 35 apps more than 4 million times. Although it is not clear how much attention the unrestaded extensions attracted attention without appearing in the discoveries, Tucker noted that 10 ran Google’s “Featured” tag – usually a designation given to the developers has been vetted and trusted by Google. He did not explain how it can affect their distribution.
Tucker did not find any direct evidence that the extension exfiltrate data – but it does not exclude it. A tool claims to scan Chrome for malicious or suspected plugins from irony from irony. After analyzing this, Tucker discovered a JavaScript file, which can upload data and download codes and instructions from several shady domains, including an ankkon.com.
This domain stands out because all 35 apps refer to it in their background service, yet there is no visible web appearance or clear function. The WHOIS record lists it as “available” and “for sale”, making it particularly bizarre that so many extensions will indicate it.
“The codes in the domain, the cheerful, have no relevance, but (is) is incredibly useful to connect all the extensions together!” Tucker said.
Secure Annex published a comprehensive list of extensions ID and permissions on its blog and publicly accessible spreadsheets. A simple list of extension names appears in the above image. If you have any of these installed, the tucker recommends removing them immediately – safety risk removes any possible profit.
