security researchers in laboratories of reason discovered three malicious Chrome web extensions that were installed on 1.5 million installations of the web browser. Distributed through torrents, these extensions acted as legitimate VPN extensions at first glance.
The extensions appear to have spread through torrent files of popular video games. Reason Labs specifically mentions Grand Theft Auto, The Sims 4, Heroes 3, and Assassins Creed torrents, but there may be other games. He found the Trojan installer in more than 1,000 different torrent files that promised access to commercial games.
The downloaded installation files were between 60 MB and 100 MB in size. A common signatory name was Spice & Wok Limited, but there have been others as well.
When the installer runs on the user's device, it unpacks one of the three malicious extensions on the system and installs it on the browser without user interaction. The extension is installed using a Windows Registry key, SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings\.
A method of installing extensions in Chrome that completely bypasses users is not new. In 2014, security researchers discovered a method to install chrome extensions without any user interaction.
Two different extensions, netSave for Chrome and netPlus for Microsoft Edge, are installed on the user's system. According to researchers, the malicious Chrome extension was installed 1 million times.
The JavaScript code has more than 20,000 lines according to researchers, making it difficult to analyze. Researchers discovered that it runs a fake VPN and what they call a cashback activity hack.
Once the extension is installed, it will disable other refund extensions that may be installed on the infected web browser. It also offers fake VPN user interface to hide its true intentions from the user.
The extensions are in Russian and appear to be aimed at Russian-speaking regions and users, including Russia, Ukraine or Kazakhstan.
Reason Labs informed Google about the malicious extensions. Meanwhile, Google has removed extensions from the Chrome Web Store.
Chrome and Edge users who download torrent files may want to check the list of installed extensions in the browser to make sure these extensions are not installed on their devices.
Research Labs notes that the developer of the extensions appears to have created other extensions. The company recommends that users install extensions, games and programs only from legal and legitimate sources. It also recommends running up-to-date antivirus software, avoiding clicking on unknown links or pop-ups, and enabling two-factor authentication whenever possible.
Additional information, including technical details, can be found in the laboratories of reason website.
now you: Do you use browser extensions?
Summary
Article name
Google removes 3 fake VPN extensions with 1.5 million users from the Chrome Web Store
Description
Security researchers at Reason Labs discovered three malicious Chrome web extensions that were installed on 1.5 million installations of the web browser.
Author
Martin Brinkmann
Editor
Ghacks Technology News
Logo
Advertisement
