Google Removes Malicious Chrome Extensions With Over 1.4 Million Downloads

Google has removed 5 malicious browser extensions from its Chrome Web Store that were downloaded collectively more than 1.4 million times.

Threat analysts at McAfee discovered that these browser extensions that masqueraded as Netflix viewers and others were designed to surreptitiously monitor the browsing activities of the users.

The Chrome browser add-ons in question are as follows:

• Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads
• Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads
• FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 downloads
• Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads
• AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads

These extensions offered various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrowed several phrases from another popular extension called GoFullPage.

“The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors,” the McAfee researchers wrote in their blog post.

How Did The Extensions Work?

All 5 extensions perform similar behavior. The web app manifest (“manifest.json” file) sets the background page as bg.html, which loads B0.js (multifunctional script) that sends the browsing data to a domain the attackers control (“langhort[.]com”).

The data is delivered via POST requests every time the user visits a new URL. The information includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL.

The first function is, “Result[‘c’] – passf_url “, which will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the visited website.

The second function, “Result[‘e’] setCookie”, orders B0.js to also modify a cookie or replace it with the provided one to perform certain actions if the extension has been granted with the associated permissions.

McAfee has also published a video that showcases how the URL and cookie modifications occur in real-time:

To evade analysis and prevent malicious activity from being identified in automated analysis environments, some of the extensions featured a delay of 15 days from the time of their installation to avoid raising red flags before they could start sending out the browser activity.

At the time of writing, all 5 malicious Chrome extensions have been removed from the Google Play Store. However, this does not delete them from the web browsers. Hence, users are recommended to manually uninstall them from their devices.