A complicated malware marketing campaign has contaminated over 1.7 million Chrome customers by eleven seemingly professional browser extensions, all of which carried Google’s verified badge and featured placement on the Chrome Net Retailer.
The “Malicious11” marketing campaign, found by cybersecurity researchers at Koi Safety, represents one of many largest browser hijacking operations ever documented, exploiting the very belief indicators customers depend on to determine protected extensions.
The Excellent Trojan Horse Operation
The malicious extensions masqueraded as well-liked productiveness and leisure instruments throughout various classes, together with emoji keyboards, climate forecasts, video velocity controllers, VPN proxies for Discord and TikTok, darkish themes, quantity boosters, and YouTube unblockers.
What made this marketing campaign notably devious was that every extension delivered precisely what it promised whereas concurrently implementing subtle surveillance and hijacking capabilities.
The investigation started when researchers analyzed “Shade Picker, Eyedropper — Geco colorpick,” an extension with over 100,000 installs and 800+ critiques.
Regardless of showing utterly professional and sustaining verified standing, the extension was secretly hijacking customers’ browsers, monitoring each web site go to, and sustaining a persistent command and management backdoor.
Maybe most regarding is how the malware was deployed. These weren’t malicious extensions from day one – they operated legitimately for years earlier than turning into malicious by model updates.
The codebase of every extension remained clear, typically for years, earlier than the malware was applied by automated updates that silently put in for over 1.7 million customers.
“Because of how Google handles browser extension updates, these variations are auto-installed silently,” the researchers famous. “No phishing. No social engineering. Simply trusted extensions with a quiet model bump.”
Refined Browser Hijacking
The malware implements a classy browser hijacking mechanism that prompts each time customers navigate to a brand new web page.
Hidden inside every extension’s background service employee is code that displays all tab exercise, capturing URLs and sending them to distant servers together with distinctive monitoring identifiers.
This creates a large persistent man-in-the-middle functionality that may be exploited at any second.
For instance, customers clicking Zoom assembly invites could possibly be redirected to faux pages claiming they should obtain “vital updates,” or banking classes could possibly be intercepted and redirected to pixel-perfect replicas hosted on attackers’ servers.
The Malicious11 marketing campaign exposes systemic failures in market safety. Google’s verification course of did not detect subtle malware throughout eleven totally different extensions, as a substitute selling a number of by verification badges and featured placement.
The attackers efficiently exploited each belief sign customers depend on – verification badges, set up counts, featured placement, years of professional operation, and constructive critiques.
Customers ought to instantly take away any affected extensions, clear browser knowledge to take away saved monitoring identifiers, run full system malware scans, and monitor accounts for suspicious exercise.
The incident highlights the pressing want for improved market safety mechanisms as risk actors evolve past particular person assaults to create a complete infrastructure that may stay dormant for years earlier than activation.
This marketing campaign represents a watershed second in browser extension safety, demonstrating how the present market safety mannequin is essentially damaged.
Unique Webinar Alert: Harnessing Intel® Processor Improvements for Superior API Safety – Register for Free
