Google has removed more than 70 malicious add-ons from its Chrome Web Store after being alerted to a spyware attack by researchers at Awake Security.
The researchers told Reuters that the newly-discovered spyware effort attacked users through 32 million downloads of extensions to Google’s Chrome web browser, the Mirror reports.
Google spokesman Scott Westover told Reuters: “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”
Awake co-founder and chief scientist Gary Golomb said it was the most far-reaching malicious Chrome store campaign to date based on the number of downloads.
The majority of the free extensions claimed to warn users about questionable websites or convert files from one format to another but instead, they siphoned off users’ browsing history and data that provided credentials for access to internal business tools.
Browsers are increasingly being used for email, payroll and other sensitive functions.
Google has declined to discuss how the latest attack compared to previous ones, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite promises to monitor them more closely.
Awake said the developers of the malware supplied fake contact information when they submitted the extensions to Google so it’s unclear who was behind the effort.
“Anything that gets you into somebody’s browser or email or other sensitive areas would be a target for national espionage as well as organised crime,” said former National Security Agency engineer Ben Johnson, who founded security companies Carbon Black and Obsidian Security.
The add-ons were designed to avoid detection by antivirus companies or security software, Golomb said.
If browsers were on a home computer, it would connect to a series of websites and transmit information, the researchers found. Anyone using a corporate network, which would include security services, would not transmit the sensitive information or even reach the malicious versions of the websites.
“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.
All of the domains in question, more than 15,000 linked to each other in total, were purchased from a small registrar in Israel, Galcomm, known formally as CommuniGal Communication Ltd. Awake claimed Galcomm should have known what was happening.
In an email exchange, Galcomm owner Moshe Fogel told Reuters his company had done nothing wrong.
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”
Fogel said there was no record of the inquiries Golomb said he made in April and again in May to the company’s email address for reporting abusive behavior, and he asked for a list of suspect domains. Reuters sent him that list three times without getting a substantive response.
The Internet Corp for Assigned Names and Numbers, which oversees registrars, said it had received few complaints about Galcomm over the years, and none about malware.
Deceptive extensions have been an issue for years but they are getting worse. Originally used to spew unwanted adverts, they are now more likely to install malicious programs or track where users are and what they are doing for government or commercial spies.
After one in 10 submissions to Google’s Chrome Store was deemed malicious, the company said in 2018 it would improve security, in part by increasing human review.
But in February, independent researcher Jamila Kaya and Cisco Systems’ Duo Security uncovered a similar Chrome campaign that stole data from about 1.7 million users.
Google joined the investigation and found 500 fraudulent extensions.
“We do regular sweeps to find extensions using similar techniques, code and behaviours,” Google’s Westover said, in identical language to what Google gave out after Duo’s report.