Three million users installed 28 malicious Chrome or Edge extensions

Extensions could redirect users to ads, phishing sites, collect user data, or download malware on infected systems.
Written by Catalin Cimpanu, Contributor

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today.

The 28 extensions contained code that could perform several malicious operations. Avast said it found code to:

  • redirect user traffic to ads
  • redirect user traffic to phishing sites
  • collect personal data, such as birth dates, email addresses, and active devices
  • collect browsing history
  • download further malware onto a user's device

Also: Best VPNs

But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.

"For every redirection to a third party domain, the cybercriminals would receive a payment," the company said.

Avast said it discovered the extensions last month and found evidence that some had been active since at least December 2018, when some users first started reporting issues with being redirected to other sites.

Jan Rubín, Malware Researcher at Avast, said they couldn't identify if the extensions had been created with malicious code from the beginning or if the code was added via an update when each extension passed a level of popularity.

And many extensions did become very popular, with tens of thousands of installs. Most did so by posing as add-ons meant to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo, or Spotify.

Avast said it reported its findings to both Google and Microsoft and that both companies are still investigating the extensions.

Google did not return a request for comment seeking additional information on the status of their investigation into Avast's report or if the extensions were going to be removed. Microsoft said it's still investigating the issue.

A day after Avast published its findings, only three of the 15 Chrome extensions were removed, while all the Edge add-ons were still available for download. A source familiar with the investigation told ZDNet that Microsoft has not been able to confirm the Avast report.

Until Google or Microsoft finish their investigations and decide what's their course of action, Avast recommended that users uninstall and remove the extensions from their browsers.

Below is the list of Chrome extensions that Avast said it found to contain malicious code:

Below is the list of Edge extensions that Avast said it found to contain malicious code:

Article updated on December 17 with information on the extensions takend down following Avast's report and Microsoft's reply.

Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes

Editorial standards