Google has removed from the Chrome Web Store 32 malicious extensions that could alter search results and push spam or unwanted ads. Collectively, they come with a download count of 75 million.
The extensions featured legitimate functionality to keep users unaware of the malicious behavior that came in obfuscated code to deliver the payloads.
Cybersecurity researcher Wladimir Palant analyzed the PDF Toolbox extension (2 million downloads) available from Chrome Web Store and found that it included code that was disguised as a legitimate extension API wrapper.
In a write-up in mid-May, the researcher explains that the code allowed the “serasearchtop[.]com” domain to inject arbitrary JavaScript code into any website the user visited.
The potential for abuse ranges from inserting ads into webpages to stealing sensitive information. However, Palant didn’t observe any malicious activity, so the code’s purpose remained unclear.
The researcher also noticed that the code was set to activate 24 hours after installing the extension, a behavior that is typically associated with malicious intentions.
A few days ago, Palant published a follow-up post on the case to alert that he had discovered the same suspicious code in another 18 Chrome extensions with a total download count of 55 million. Some examples include:
- Autoskip for Youtube – 9 million active users
- Soundboost – 6.9 million active users
- Crystal Ad block – 6.8 million active users
- Brisk VPN – 5.6 million active users
- Clipboard Helper – 3.5 million active users
- Maxi Refresher – 3.5 million active users
At the time of Palant publishing the second post, all of the extensions were still available in the Chrome Web Store.
Continuing his investigation, Palant found two variants of the code: one masquerading as Mozilla’s WebExtension browser API Polyfill, and another posing as the Day.js library.
However, both versions featured the same arbitrary JS code injection mechanism involving serasearchtop[.]com.
Although the researcher did not observe any clear malicious activity, he noted that there are numerous user reports and reviews on the Web Store indicating that the extensions were performing redirections and search result hijacking.
Despite his attempts to report the suspicious extensions to Google, they continued to be available to users from the Chrom Web Store.
Earlier today, though, cybersecurity company Avast said that it reported the extensions to Google after confirming their malicious nature, and expanded the list to 32 entries. Collectively, these boasted 75 million installs.
Avast says that while the extensions appear harmless to unsuspecting users, they are adware that hijacks search results to display sponsored links and paid results, sometimes even serving malicious links.
Responding to a request for comment from BleepingComputer before Avast published its findings, a Google spokesperson said that the “reported extensions have been removed from the Chrome Web Store.”
“We take security and privacy claims against extensions seriously, and when we find extensions that violate our policies, we take appropriate action.”
“The Chrome Web Store has policies in place to keep users safe that all developers must adhere to,” the Google representative told BleepingComputer”
Avast highlights the significant impact of the extensions, which targeted tens of thousands of its customers, and potentially millions worldwide.
For its customers, Avast selectively neutralized only the malicious elements within the extensions, letting the legitimate features continue operating without disruption.
While the 75 million downloads looks worrying, the company suspects that the count was “artificially inflated.” A complete list of the malicious extensions (IDs) can be found on Avast’s report.
Users should note that the removal of the extensions from the Chrome Web Store does not automatically deactivate or uninstall them from their browsers, so manual action is required to eliminate the risk.
