A large number of Chrome extensions with malicious code are discovered
Vladimir Palant, a security researcher and former developer of the popular extension AdBlock Plus, has announced that a number of extensions in the Chrome Web Store contained obfuscated malicious code. reported that it did.
More malicious extensions in Chrome Web Store | Almost Secure
Mr. Parant first discovered this problem with an extension called ' PDF Toolbox ', which has functions such as editing and combining PDF files. With over 2 million users and a 4.2 rating, the extension, which on the surface looked like a nondescript extension, was discovered by serasearchtop[.]com, an adware distributor. Parant's detailed analysis revealed that it has the ability to access the domain and inject arbitrary JavaScript code into any site visited by the browser.
However, the extension includes a PDF conversion function implemented to justify requesting extensive permissions, disguise code that downloads suspicious files disguised as harmless data, and don't make requests right away. It is said that this problem has remained unnoticed by anyone for at least a year.
It's unclear why the developers went to great lengths to obfuscate the malicious code, as they weren't able to see the malicious code in action, but Parant said, I speculate that it may be for the purpose of 'monetizing extensions', which is prohibited by the Chrome Web Store policy, by preparing or inserting cryptocurrency mining codes.' However, this was only a prediction, and theoretically anything was possible.
Parant went public with the issue in
However, due to the increase in the number of samples surveyed, it is clear to some extent what the developers are aiming for. Parant found that a 2021 review submitted to an extension called 'Image Download Center' had complaints that it redirected the search page.
We also received similar reviews for an extension called “OneCleaner”. However, Parant warned that just because you were making money from search page redirects in 2021, doesn't mean you're still making money today.
Fortunately, since June 1st, Google has deleted the extensions in question, including 'PDF Toolbox', one after another, and at the time of writing the article, only eight extensions are left on the store page. became. Parant said the rest will be addressed soon.
The list of extensions identified as ``malicious extensions'' by Parant et al. Those with a strikethrough in the name have been deleted at the time of article creation.
| Extension name | Weekly active users | ID of the extension |
|---|---|---|
| | 9,008,298 | lgjdgmdbfhobkdbcjnpnlmhnplnidkkp |
| Soundboost | 6,925,522 | chmfnmjfghjpdamlofhlonnnnokkpbao |
| | 6,869,278 | lklmhefoneonjalpjcnhaidnodopinib |
| | 5,595,420 | ciifcakemmcbbdpmljdohdmbodagmela |
| | 3,499,233 | meljmedplehjlnnaempfdoecookjenph |
| | 3,483,639 | lipmdblppejomolopniipdjlpfjcojob |
| | 2,797,773 | lmcboojgmmaafdmgacncdpjnpnnhpmei |
| | 2,786,137 | icnekagcnccdgpdnpoecofjinkplbnocm |
| | 2,782,790 | bahogceckgcanpcoabcdgmoidngedmfo |
| | 2,571,050 | bkpdalonclochcahhipekbnedhklcdnp |
| | 2,437,224 | magnkhldhhgdlhikeighmhlhonpmlolk |
| | 2,430,636 | edadmcnnkkkgmofibeehgaffppadbnbi |
| | 2,370,645 | ajneghihjbebmnljfhlpdmjjpifeaokc |
| | 2,366,136 | nadenkhojomjfdcppbhhncbfakfjiabp |
| | 2,353,436 | pbdpfhmbdldfoioggnphkiocpidecmbp |
| | 2,237,147 | hdgdghnfcappcodemanhafioghjhlbpb |
| Amazing Dark Mode | 2,228,049 | fbjfihoienmhbjflbobnmimfijpngkpa |
| | 2,226,293 | kjeffohcijbnlkgoaibmdcfconakaajm |
| Awesome Auto Refresh | 2,222,284 | djmpbcihmblfdlkcfncodakgopmpgpgh |
| | 1,973,783 | obeokabcpoilgegepbhlcleanmpgkhcp |
| | 1,967,202 | mcmdolplhpeopapnlpbjceoofpgmkahc |
| | 1,852,707 | dppnhoaonckcimpejpjodcdoenfjleme |
| Volume Frenzy | 1,626,760 | idgncaddojiejegdmkofblgplkgmeipk |
| | 1,493,741 | deebfeldnfhemlnidojiiidadkgnglpi |
| | 1,471,726 | gfbgiekofllpkpaoadjhbbfnljbcimoh |
| | 1,460,691 | pbebadpeajadcmaoofljnnfgofehnpeo |
| | 1,459,488 | flmihfcdcgigpfcfjpdcniidbfnffdcf |
| | 1,457,548 | pinnfpbpjancnbidnnhpemakncopaega |
| | 1,456,013 | iicpikopjmmincpjkckdngpkmlcchold |
| Leap Video Downloader | 1,454,917 | bjlc poknpgaoaollojjdnbdojdclidkh |
| | 1,451,822 | okclicinnbnfkgchommiamjnkjcibfid |
| Qspeed Video Speed Controller | 732,250 | pcjmcnhpobkjnhajhhleejfmpeoahclc |
| Hyper Volume | 592,479 | hinhmojdkodmficpockledafoeodokmc |
| Light picture-in-picture | 172,931 | gcnceeflimggoamelclcbhcdggcmnglm |
Mr. Parant appeared in a thread on the social news site Hacker News, which featured his blog post, and said, ``Google has long introduced policy changes aimed at limiting the unauthorized use of extensions. But it's no good unless you effectively enforce that policy.These extensions have been around for at least two years and have been violating Google's policies ever since. However, it remained in the Chrome Web Store,' he said , pointing out that various rules, including policies that prohibit requests for unnecessary permissions, were not enforced.
Related Posts:
in Security, Posted by log1l_ks