Google Chrome: Beware these malicious extensions that record everything you do

Developers of malicious extensions are testing new session-replay technique to record and replay victims' online sessions.
Written by Liam Tung, Contributing Writer

Google has removed 89 malicious extensions from the Chrome Web Store that have been installed on over 420,000 browsers, turning them into Monero-mining slaves and loading a tool to record and replay what their owners do on every website they visit.

Researchers at Trend Micro dubbed the family of malicious extensions Droidclub and discovered they included a software library with so-called "session-replay scripts" used by online analytics firms.

Princeton's Center for Information Technology in November drew attention to the increasing use of session-replay scripts by third-party analytics firms on high-traffic websites.

The study looked at replay services from Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam, which were found on nearly 500 popular sites.

The scripts allow a site owner to essentially shoulder-surf their visitors by recording and replaying your "keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit".

But instead of allowing a site owner to record and play back what users do on one site, Droidclub extensions allow the attacker to see what victims do on every single site they visit.


The attackers used a blend of malicious ads and social engineering to trick victims into installing the extensions.

Image: Trend Micro

"These scripts are injected into every website the user visits. These libraries are meant to be used to replay a user's visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things," said Trend Micro fraud analyst Joseph Chen.

"Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild."

The 98 malicious extensions are an odd collection of home cooking and home decoration themed tools, which victims most likely didn't go to the Chrome Web Store and search for.

Best Google Chrome extensions to enhance your productivity, security, and performance

Rather, the attackers used a blend of malicious ads and social engineering to trick victims into installing the extensions. A malicious ad posing as an error message prompted the victim to install an extension from the Chrome Web Store to view blocked content.

Chen says the extensions employ a session-replay script available in a JavaScript library from Yandex Metrica.

The extension, combined with the library, allows the attacker to steal data entered into forms, including names, credit card numbers, CVV numbers, email addresses, and phone numbers. Passwords are not stolen, according to Chen.

Google said in a statement to Trend Micro that it had disabled the extensions on devices of all affected Chrome users.

Read: Shore up your defenses: Budget extra for an IT audit in 2018

And although Google encourages users to report malicious extensions, Droidclub extensions have been designed to thwart that process too.

If users try to report an extension via the Chrome Web Store, they end up being redirected to the introduction page of the affected extension. Attempts to remove the extension also lead the user to a fake page that tells them the extension has been removed when it has not.

Yandex Metrica told ZDNet it had only recently learned that its Yandex.Metrica session-replay tool was being used to acquire users' private data.

"We built session replay to help website owners and marketers provide a better experience for users. But, like many other tools on the internet, it unfortunately has been used in a malicious way," a spokeswoman said.

"We're working in every way possible to update our product to prevent particularly sensitive information from being detected and tracked."

Last month Google also removed four malicious extensions from the Chrome Web Store that had been installed by 500,000 Chrome users.

Previous and related coverage

Google Chrome under attack: Have you used one of these hijacked extensions?

Recent versions of several Chrome extensions have been compromised to spread malicious ads.

Google Chrome can now spot even brand new phishing pages

Google has rolled out two new tools to combat phishing, and upped Gmail security.

Chrome going after shady site redirect tactics

A trio of redirect tactics used predominately in the dodgier parts of the internet have been targeted by Google for extinction.

Chrome will whack website bait-and-switch tactics (CNET)

Starting in 2018, Google's browser will stop website elements that try to send you to a page you didn't expect or want.

10 tips to help you get the most out of Google Chrome (TechRepublic)

Google Chrome is the most popular US web browser, and has made large gains in the enterprise in recent years. Here are 10 tips for increasing your productivity with the browser.

Editorial standards