Beware of the extensions you add to your web browser! Security researchers have discovered 32 Chrome add-ons that hijack search results and serve ads.
Extensions for web browsers – like Google Chrome, Mozilla Firefox, Microsoft Edge or Safari – are really handy. These additional modules – also called plug-ins – provide useful functions, which are not integrated by default in these software, such as blocking advertising, converting PDFs, keeping task lists, or even spelling and grammar checking. However, be careful when downloading them, even from official stores, because some contain malicious code! This is the case of 32 rogue extensions, spotted recently by Avast security researchers on the Chrome Web Store. And these are not exotic extensions: accounting for nearly 75 million downloads, they do well the services they promise. Except that in addition, and in a particularly sneaky way, they modify the search results to display sponsored links and paid results, distribute spam or unwanted advertisements, and, sometimes, redirect their users to dangerous sites!.
Chrome extensions: redirects and hijacks of search results
Wladimir Palant, a cybersecurity researcher, published in mid-May an article in which he explains that he analyzed the PDF Toolbox extension, available on the Chrome Web Store and counting 2 million downloads. He discovered that it contained malicious code that allowed the domain “serasearchtop[.]com” to inject arbitrary JavaScript code into any website visited by the user. This could lead to the possibility of abuse, ranging from the insertion of advertisements to the theft of sensitive information. If Wladimir Palant did not observe any malicious activity at first, however, he noticed that the code was activated 24 hours after installing the extension, a behavior usually found in malware.
As we learn in a new article, Wladimir Palant took his investigation further and discovered the same code as well as two variants, present in 18 other Chrome extensions (Autoskip for YouTube, Soundboost, Crystal Ad block, Brisk VPN, Clipboard Helper and Maxi Refresher.), totaling 55 million downloads. Again, the researcher did not observe any malicious behavior, but numerous reports and user comments on the Web Store indicate that they were redirecting and hijacking search results. Here is the list of affected extensions:
- Autoskip for Youtube
- Soundboost
- Crystal Ad block
- BriskVPN
- Clipboard Helper
- Maxi Refresher
- Quick Translation
- Easyview Reader view
- PDF toolbox
- Epsilon Ad blocker
- Craft Cursors
- Alfablocker ad blocker
- Zoom More
- Basic Image Downloader
- Clickish fun cursors
- Cursor-A custom cursor
- Amazing Dark Mode
- Maximum Color Changer for Youtube
- Awesome Auto Refresh
- Venus Adblock
- Adblock Dragon
- Read Reader mode
- Volume Frenzy
- Image download center
- Font Customizer
- Easy Undo Closed Tabs
- Screence screen recorder
- OneCleaner
- Repeat button
- Leap Video Downloader
- Tap Image Downloader
- Qspeed Video Speed Controller
- HyperVolume
- Light picture-in-picture
In addition to the 32 malicious extensions spotted by Wladimir PalantAvast has published a list of some 82 extensions add-ons corrupted that should be uninstalled urgently, indicating their unique identifiers to avoid any confusion in the names. Of course, Google removed the reported extensions from the Chrome Web Store, as reported The Bleeping Computer. But that is not enough: it is also and above all necessary to uninstall them from the devices on which they have been downloaded! If you have installed any, immediately remove them from your device (see our practical sheet).
Malicious code: protecting yourself from rogue browser extensions
It’s not the first time – and probably not the last! – that Google must remove corrupted extensions from its official store. Despite the Web giant’s efforts, hackers are constantly finding new techniques, each more ingenious than the next. This is why you must always be vigilant when installing anything. However, there are several tips that can help you spot infected extensions.
First of all, always download plug-ins through official stores, like the Google Web Store, as they perform an initial check and regularly remove infected software. Once in the store, check the reputation and reliability of the developer, and check user reviews to see if they are reporting suspicious activity. Also pay attention to the permissions requested by the extension. Indeed, if you see that an add-on asks for a lot more permissions than it theoretically needs, you have every reason to be suspicious. Finally, periodically review your installed extensions and uninstall extensions that you no longer use or recognize.