Security News > 2020 > June > Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm

Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm
2020-06-18 15:15

Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google's store.

This led them to a bunch of malicious browser extensions, 111 in total, which "Were found to upload sensitive data or not perform the task they're advertised to perform. A common technique, they said, is that the developer gets a clean version of an extension approved, and later updates it with the malicious payload. Some of the suspicious extensions have a reassuring number of reviews and downloads, in one case more than 22,000 reviews and 10 million downloads, presumably achieved by bot activity. Another popular approach is to clone a genuine extension and bundle it with malware."Awake has since worked with Google to take down these extensions from the Chrome Web Store," said the report, but no doubt more are on the way.

"Rogue access to the browser therefore frequently means rogue access to the 'keys to the kingdom' - from email and corporate file sharing to customer relationship management and financial databases," they said, dubbing browser extensions "the new rootkit.

A developer on Hacker News said: "I've been developing Chrome extensions full-time for about a year now, and it's honestly terrifying just how much access extensions have to sensitive user data.

"A Google spokesperson has since told us: "We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses."In addition to disabling the accounts of developers that violate our policies, we also flag certain malicious patterns we detect in order to prevent extensions from returning.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/06/18/chrome_browser_extensions_new_rootkit/