Be careful when downloading web browser extensions! Some, seemingly innocent, may contain malicious code that may display pop-up advertising or siphon off your personal data.

Be careful when downloading web browser extensions! Some, seemingly innocent, may contain malicious code that may display pop-up advertising or siphon off your personal data.

Web browser extensions – like Google Chrome, Mozilla Firefox, Microsoft Edge or Safari – are really handy. They offer useful functions, such as blocking advertising, keeping to-do lists, checking spelling and grammar, or even converting PDFs, among other things. Ways to be even more productive and efficient on the web, which makes them so popular. The most popular plugins can reach more than 10 million users! However, be careful, because even if they are in official stores – like the Chrome Web Store – some may put you at risk. In 2020, Google had to remove 106 of them, which were used to siphon users’ personal data, like cookies, passwords, banking credentials, and even took screenshots. In total, they have 32 million downloads – and therefore as many victims, individuals as companies.

Kaspersky, an antivirus vendor, revealed in an investigation that, on its customer base alone, the company has blocked 6 million downloads of malicious extensions since the beginning of 2020. But how do these extensions operate? Most – including those who are not infected – ask permission to “read all data on all websites”, which allows them to collect lots of data from the web pages you visit. Developers can then pass this data on to third parties or sell it to advertisers. “Safe” apps can also become rogue after installation, since their developers can release updates without requiring any action from you. Kaspersky has identified four main families of malicious extensions, two-thirds of which are “adware” and one-third “malware”.

Extensions that serve intrusive ads

The first family of malicious adware-type extensions is WebSearch – it is the most widespread. When installed, it will replace the search engine you are using with another – and not everyone knows how to change it again (see our practical sheet to remedy this). According to research, the new engine will display its own advertising links – for example, a sidebar pops up on the screen to offer a whole bunch of advertisements. The more you follow these links, the more money the extension developers earn. The following extensions use this technique – they have been removed from the stores, but are still present on the devices of those who downloaded them and findable via a search engine:

• EasyPDFCombine
• PDF Viewer & Converter by FromDocToPDF
• OnlineMapFinder
• EasyDocMerge.

The second adware-type family is DealPly. Most of the time, these extensions are not downloaded directly by the user, but by malware, itself installed on cracked software. Again, the search engine is replaced by another, and you are transported to sponsored sites without you wanting it. The generation of these unwanted offers will hinder your Internet browsing by flooding you with ads when you browse merchant sites. Getting rid of this kind of extension is quite complicated because, once deleted, it will automatically reappear the next time you launch the browser. Among the extensions in this family are Internal Chromium Extension and Search Manager.

Extensions that embed malware

The third family is of the malware type and is called AddScript. Most often, this type of extensions offers truly useful functions – tools for downloading music and videos from social networks, or downloading proxy managers. Except that in parallel, they carry out malicious actions. The malware contains obfuscated code – therefore hidden, unreadable – which discreetly performs intrusive actions without you noticing it – playing videos in the background or placing fake cookies in the browser directory for example. It will thus generate false video views or make believe that you have already visited certain pages. This is the case for the following extensions:

• Y2Mate Video Downloader
• Helper (an easy way to find best prices)
• SaveFrom.net helper
• friGate3 Proxy helper.

The fourth family, FB Stealer, is also malware-type – and is arguably the most dangerous. Similar to DealPly, these extensions contain malware installed in cracked software. Again, there is a change in the search engine. However, he will take the opportunity to steal your Facebook session cookies, log in for you and change the password. “Once inside the account, attackers can demand money from the victim’s friends, trying to get as much as possible before the user regains access to the account”, explains Kaspersky. Meanwhile, the extension will mimic harmless functions, like Google Translate.

How to protect against corrupt extensions

Several tips can help you spot scam extensions. First of all, plug-ins should always be downloaded from official stores, such as the Google Web Store, as they carry out an initial check and regularly remove infected software. Once in the store, it is necessary to check the reputation and the reliability of the developer as well as the authorizations requested by the extension. Indeed, if you see that an add-on asks for a lot more permissions than it theoretically needs, you have every reason to be suspicious. For example, a standard browser calculator requires no access to your geolocation or browsing history. Finally, periodically review your installed extensions and uninstall extensions that you no longer use or recognize.