Google Chrome extensions stole browsing data in widest-reaching malware campaign ever

The developers supplied fake contact information to Google, so it is unclear who is responsible

Incognito Mode in Google Chrome may not be as private as you think
Incognito Mode in Google Chrome may not be as private as you think

Google Chrome has been used to transmit spyware, as 32 million downloads of extensions to the browser carried malicious add-ons according to researchers at Awake Security.

The researchers alerted Google, who removed over 70 pieces of software from its official Chrome Web Store.

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another.

Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.

It is the widest-reaching Chrome store campaign to date, according to Awake Security’s chief scientist Gary Colomb.

It is unclear who is responsible for this campaign, however, as developers supplied fake contact information when they submitted the extensions to Google.

The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains.

“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.

“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesperson Scott Westover said.

Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.

All the domains used were purchased from a registrat in Israel, Galcomm, also known as CommuniGal Communication.

“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”

Fogal also claimed that there were no records of inquiries from Awake Security, and asked for a list of suspected domains. Upon being provided with a list, Fogel did not provide further clarification.

Awake Security says the company should have been aware of the actions being undertaken.

The Internet Corp for Assigned Names and Numbers, which oversees registrars, said it had received few complaints about Galcomm over the years, and none about malware.

Additional reporting by Reuters

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in