Google removes 106 Chrome extensions for collecting sensitive user data

Security firm identifies 111 malicious Chrome extensions collecting user keystrokes, clipboard content, cookies, more.

Google removes batch of malicious Chrome extensions stealing users' data

Google has removed 106 malicious Chrome extensions that have been caught collecting sensitive user data.

The 106 extensions are part of a batch of 111 Chrome extensions that have been identified as malicious in a report published today by cyber-security firm Awake Security.

Awake says these extensions posed as tools to improve web searches, convert files between different formats, as security scanners, and more.

But in reality, Awake says the extensions contained code to bypass Google's Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords).

awake-malicious-chrome-extensions.png

Image: Awake Security

Awake believes all the extensions were created by the same threat actor, although the company has yet to identify it.

The primary connection between all the extensions was that they sent user data back to domains registered through the GalComm domain registrar.

Furthermore, Awake says that many extensions also appeared to share the same graphics and codebase, with slight changes. In some cases, the extensions even had the same version number and the same descriptions, the company explained in its report.

Awake says that by May 2020, when it reached out to Google, the 111 malicious extensions have been downloaded 32,962,951 times.

Based on internal telemetry, Awake says that some of these extensions have been found on the networks of "financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations," effectively acting as backdoors into private networks and espionage tools -- albeit there's no evidence to suggest they've been used as such.

The company provided the list of the 111 malicious extension IDs here.

Harry Denley, Director of Security at the MyCrypto platform, provided ZDNet with the status of each extension. At the time of writing, only five of the 111 extensions reported by Awake to Google are still live on the Chrome Web Store.

According to standard practice, Google has deactivated the Chrome extensions in each user's browser. The extensions are still installed, but disabled and marked as "malware" in the Chrome browser's extension section.

Users can visit the chrome://extensions page and see if they installed any of the malicious extensions and remove them from their browsers.

chrome-malware-extension.jpg

Image: ZDNet