Research conducted by Awake Security has revealed that up to 111 malicious Google Chrome extensions were identified and 106 of them were removed from the Chrome Web Store for collecting sensitive user data.
The malicious extensions have been downloaded almost 33 million times by May 2020 when the company contacted Google.
The function of the extensions purported to warn users about dangerous websites, improve web searches, and convert file formats. But their real primary function was to take screenshots, read the clipboard, gather browsing history, use keystrokes to steal passwords, and collect authentication cookies.
Awake Security says that they believe all the extensions emanated from the same unidentified bad source as most of them shared identical graphics codebases, version numbers, and descriptions.
The creator gave Google false contact information when submitting the extensions to the Chrome Web Store.
The extensions were designed to avoid detection by antivirus/security software that evaluates the reputation of web domains. Researchers found that they would connect to a series of websites and transmit sensitive information.
Chrome users on corporate networks, however, were safe as the extensions would not send the data or even connect to the malicious websites.
It was also discovered that there were more than 15,000 malicious domains used, all of which were purchased from a registrar in Israel called Galcomm.
Galcomm has denied complicity with the malicious activity. Galcomm owner Moshe Fogel said “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”
Google has managed to remove all but five of the malicious extensions from the Chrome Web Store.
Chrome users who installed the malicious extensions will still find them in their browsers, but have been disabled and marked as malware.