Google has removed more than 500 malicious Chrome extensions from its official Web Store following a two-months long investigation conducted by security researcher Jamila Kaya and Cisco's Duo Security team.
The removed extensions operated by injecting malicious ads (malvertising) inside users' browsing sessions.
The malicious code injected by the extensions activated under certain conditions and redirected users to specific sites. In some cases, the destination would be an affiliate link on legitimate sites like Macys, Dell, or BestBuy; but in other instances, the destination link would be something malicious, such as a malware download site or a phishing page.
According to a report published today and shared with ZDNet, the extensions were part of a larger malware operation that's been active for at least two years.
The research team also believes the group who orchestrated this operation might have been active since the early 2010s.
Responsible for unearthing this operation is Kaya. The researcher told ZDNet in an interview that she discovered the malicious extensions during routine threat hunting when she noticed visits to malicious sites that had a common URL pattern.
Leveraging CRXcavator, a service for analyzing Chrome extensions, Kaya discovered an initial cluster of extensions that run on top of a nearly identical codebase, but used various generic names, with little information about their true purpose.
"Individually, I identified more than a dozen extensions that shared a pattern," Kaya told us. "Upon contacting Duo, we were able to quickly fingerprint them using CRXcavator's database and discover the entire network."
According to Duo, these first series of extensions had a total install count of more than 1.7 million Chrome users.
"We subsequently reached out to Google with our findings, who were receptive and collaborative in eliminating the extensions," Kaya told ZDNet.
After its own investigation, Google found even more extensions that fit the same pattern, and banned more than 500 extensions, in total. It is unclear how many users had installed the 500+ malicious extensions, but the number is more than likely to be in the millions range.
Networks of malicious Chrome extensions have been unearthed in the past. Typically, these extensions usually engage in injecting legitimate ads inside a user's browsing session, with the extension operators earning revenue from showing ads. In all cases, the extensions try to be as non-intrusive as possible, so not to alert users of a possible infection.
What stood out about this scheme was the use of "redirects" that often hijacked users away from their intended web destinations in a very noisy and abrasive manner that was hard to ignore or go unnoticed.
However, in the current state of the internet where many websites use similar advertising schemes with aggresive ads and redirects, many users didn't even bat an eye.
"While the redirects were incredibly noisy from the network side, no interviewed users reported too obtrusive of redirects," Kaya told ZDNet.
A list of extension IDs that were part of this scheme are listed in the Duo report. When Google banned the extensions from the official Web Store, it also deactivated them inside every user's browser, while also marking the extension as "malicious" so users would know to remove it and not reactivate it.