Recent findings by cybersecurity firm Socket have uncovered a significant threat posed by malicious Chrome extensions. Over 20,000 users have unknowingly installed these harmful extensions, which are designed to create backdoors, steal sensitive information, or inject unwanted advertisements into web pages.
Coordinated Campaign Revealed
The malicious extensions have been distributed through five separate accounts: GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project. Despite the use of different accounts, these extensions share a common command-and-control (C&C) infrastructure, suggesting a coordinated effort. In total, Socket has identified 108 extensions engaging in a variety of malicious activities.
In-depth Malicious Activities
Half of the identified extensions were specifically designed to compromise Google accounts by exploiting OAuth2. Meanwhile, 45 extensions contain a universal backdoor which can open arbitrary URLs upon browser startup. Additionally, some extensions exfiltrate Telegram sessions, inject ads into YouTube and TikTok, or proxy translation requests through attacker-controlled servers.
The extensions cover multiple product categories, such as Telegram sidebar clients, slot machine games, and YouTube enhancers, all employing the same backend to execute their malicious tasks discreetly.
Examples of Targeted Extensions
One example is the Telegram Multi-account extension, which compromises active Telegram Web sessions by manipulating local storage with attacker-supplied data. Another extension, Web Client for Telegram – Teleside, is capable of stealing sessions and includes a backdoor for direct payload activation.
Furthermore, the 54 extensions targeting Google accounts utilize identical code to acquire OAuth2 tokens and send user information, such as email and profile picture, to a remote server. The tokens remain local, but the extracted identity records are sent to the operator’s server.
Despite reporting these malicious extensions, they have not yet been removed from the Chrome Web Store, raising concerns about user safety and browser security.
Future vigilance from both users and cybersecurity firms like Socket is crucial in mitigating such threats and safeguarding user data against potential exploits.
