Firefox and Chrome extensions that block add-on management
A new breed of malicious browser extensions uses techniques to make the removal of these extensions more difficult to users and administrators.
Malwarebytes revealed in a blog post how these extensions block user access to the add-on management page of the browser and therefore removal from within the browser.
The Chrome extension Tiempo en colombia en vivo was available on the official Chrome Web Store but was distributed mostly on third-party websites.
The browser extension monitors open tabs while it runs. If the user opens chrome://extensions/, it will redirect the request to chrome://apps/?r=extensions automatically. This is done so that the user cannot remove the extension as it is not listed on the apps page.
The Firefox add-on FF Helper Protection shows similar traits. It monitors open tabs for the string about:addons to close the tab automatically if it is found.
Both extensions have in common that they prevent users from accessing the add-on management interface of the browser.
Removing the extensions
Chrome users have no option to remove the extension while Google Chrome is running. While it is possible to run Chrome with the --disable-extensions startup parameter, you won't get access to the extensions then in Chrome. You can open chrome://extensions, but no extensions are listed.
This leaves you with removing the extension from the profile folder instead. The location of the profile folder depends on the operating system. Here are the default locations:
- Windows 7, 8.1, and 10: C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Extensions
- Mac OS X: Users/NAME/Library/Application Support/Google/Chrome/Default/Extensions
- Linux: /home/NAME/.config/google-chrome/default/Extensions
Extensions are listed with IDs. You may be able to identify the offending extension based on the modification date. If that is not possible, open each folder and load the manifest.json file in a text editor.
If you are still unsure, use trial and error instead. Move all Chrome extensions to another folder and test each individually by moving them back to the Extensions folder and running Chrome.
Firefox users have it a bit easier. You can start the browser in Safe Mode to launch it with all extensions disabled. You still get access to these extensions so that you may remove them from about:addons.
The easiest way to start Safe Mode is to hold down the Shift-key while starting Firefox.
Select "Start in Safe Mode" and go to about:addons afterward. Locate the malicious extensions and click on the remove button next to it to uninstall it from the browser.