Malicious Chrome extensions with Session Replay appear in Chrome Store

Martin Brinkmann
Feb 5, 2018
Google Chrome

Trend Micro security researchers identified 89 different malicious extensions for Google Chrome that use Session Replay functionality to log user activity while using the browser.

Session Replay scripts are analytics scripts that record user activity on websites. Companies use it to understand what users do on their sites by recording mouse movement, keyboard input and other interactions with the page in question.

Research suggests that nearly 1% of the top 50,000 Alexa websites use Session Replay scripts including WordPress, Microsoft, Adobe, Godaddy or Softonic.

Chrome extensions with Session Replay

via Bleepingcomputer

Trend Micro detected 89 different Chrome extensions with Session Replay functionality in the Chrome Web Store. All extensions that Trend Micro detected used randomized names such as Air Plant Holder, Applesauce Christmas Ornaments or Cuban Sandwich.

The script records user activity and since it is browser-based and not page-based, can do so on any website the user visits. Session Replay scripts may record Credit Card numbers, addresses, bank account information, social security numbers, names, and pretty much anything else a user enters on websites.

While scripts are designed not to record passwords, research showed in the past that this might happen also.

All extensions have in common that they use the Session Replay script from Yandex to record user activity, and Trend Micro believes that they are operated by the same group which it named Droidclub.

The company released a PDF document that lists all Chrome extensions and domains that it associates with Droidclub.

Bleeping Computer reports that the extensions used command and control servers. Droidclub used the servers to inject advertising on pages visited by users, and older versions deployed the Coinhive crypto jacking script, so the site.

A quick check on the Chrome Web Store revealed that all extensions on the list that I checked are no longer listed. Nearly 425,000 users installed the extensions, however.

Closing Words

The Chrome Web Store does not come to rest when it comes to malicious extensions. Google announced some time ago that it wanted to improve the security but nothing has come out of it yet.

Now You: Do you vet extensions before you install them?

Related articles

Malicious Chrome extensions with Session Replay appear in Chrome Store
Article Name
Malicious Chrome extensions with Session Replay appear in Chrome Store
Trend Micro security researchers identified 89 different malicious extensions for Google Chrome that use Session Replay functionality to log user activity while using the browser.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Kubrick said on February 6, 2018 at 9:36 pm

    you speak of the importance of “open source” extensions on a closed source proprietary browser.
    Seems a contradiction in terms to be honest.If people are so concerned about open source then it stands to reason they would/should be using an open source browser.
    This is like vetting the fox before he is allowed to guard the henhouse.

  2. dark said on February 6, 2018 at 1:19 am

    Do not install extensions/addons if they are not open source.

    1. John Fenderson said on February 6, 2018 at 6:23 pm


      This is not terrible advice, but it does imply that being open source, all by itself, means that the app is trustworthy. While it’s true that open source applications are far more likely to be well-behaved than closed-source ones, taking it for granted that open source == safe is also a risky practice.

      The unfortunate reality is that in this day and age we have to look at all software as a potential threat vector and be cautious about what we install and run.

  3. Kubrick said on February 5, 2018 at 11:04 pm

    Personally i always read all the reviews of an extension and then weigh up the pros and cons.Unfortunately we as users dont really know how an extension will pan out unless we actually install it and this is when the fun begins isnt bad extension and bang your full of adware and chrome is terrible for it.

    yes reviews are always a good starting point.

  4. ULBoom said on February 5, 2018 at 8:56 pm

    Not sure what to make of this, do people go into the store and just install extensions the same as if they’re visiting sites, ending up with say 1000 extensions installed without knowing it? Are some users so oblivious that they think they’ve “discovered” another door to the internet called More Tools Extensions Get More Extensions? If an installer pops up out of the blue do they treat it as a new friend and giddily allow it?

    Maybe it’s mainly newbies who got these loggers, IDK; it seems google should be finding them instead of a third party. Is google offering bounties for these things?

    Some time spent in the chrome webstore reading what various extensions do and their reviews reveals many extensions barely resemble their titles, most are loaded with adware and trackers and a few actually work. I’m very picky about what is installed and use only 3 or 4 simple ones.

    1. John Fenderson said on February 5, 2018 at 10:42 pm


      I wonder the same thing. Browser extensions are a bit like smartphone apps — the wise user is well advised to install as few as possible, and be very cautious about those few. Unfortunately, there appears to be a very small number of “wise users”.

      1. Anonymous said on February 5, 2018 at 11:03 pm

        This is the unfortunate state of things. We shouldn’t have to hold our horses like this, we should be able to use apps and add-ons KNOWING that they CAN’T communicate anything with the outside world unless they first outsmart browser, firewall or OS based security mechanisms dedicated to putting users in control.

        As long as this is not a reality (like it is for Windows desktop apps with a proper application-based firewall), we have to install as few apps as possible and as few add-ons as possible. For add-ons it’s a little easier since source is easy enough and short enough to review.

      2. John Fenderson said on February 6, 2018 at 5:46 pm

        If you’re using Android, and you’re willing to root, there are apps that let you configure the strong firewall that already exists on the phone. This is what I do (I use AFWall+). No app on my phone gets to communicate, either to or from the phone, without my explicit authorization.

        If you’re not willing to root, then there are a number of firewall apps that use a phony VPN to provide similar protection. It’s not quite as secure, but it’s still far better than using nothing.

  5. SCBright said on February 5, 2018 at 1:13 pm

    It is for these and other reasons that I run away from Chrome in the same way that the Devil runs from the Cross.
    Unfortunately seems that Firefox will follow in the same direction…

    1. Paul's Dad. said on February 5, 2018 at 1:19 pm

      Firefox is already following in the same direction.

  6. battle said on February 5, 2018 at 10:33 am

    I wonder if the WebAPI Manager extension could be useful when, despite using common sense, you still still have a malicious extension at some moment in your browser. See Martins review:

  7. daveb said on February 5, 2018 at 8:51 am

    Another lesson to be taken from this and other recent findings:
    Dont install crap one off extensions.. like “Swirled Pumpkin Cheesecake”.

    What purpose does someone have for installing that exactly? Getting a recipe? ..a 1 off use for information that can easily be obtained by a search on any engine. The gross majority of the offenders in this case were in that category.

    More understandable might be the tiny minority with meaningful names like.. “Malvertising Domain (Second Stage)” Perhaps that came as some sort of false security extension. I don’t know but that seems plausible.

    ..and further we need to place SOME blame here where it belongs, squarely on Google. They have cheaped out on extension and app verification and taken away individual human verification. Yes that speeds the growth of their stores, but it also necessarily involves a greater number of blatantly malicious apps to get through without any kind of check. Thid is the hand of the unrestrained free market which is rarely admitted to, that companies when they can will cheapen their processes to the point of harming their customers.

    1. A different Martin said on February 6, 2018 at 4:48 pm

      I don’t know, daveb. I usually find cheesecake a bit on the rich side, but *swirled pumpkin cheesecake* sounds like something I could really go for. Maybe it’s just because I haven’t had breakfast yet… ;-)

      But more seriously, I probably don’t vet extensions carefully enough. I definitely only add ones that I feel might actually be useful, and I check reviews and consider the sources, but still, I’m probably not careful enough.

      As for the Session Replay stuff, I added every domain that hosts session-replay tools (maybe 10 or so that were identified in the article I read) to NoScript’s “Untrusted” blacklist as soon as I learned about the issue, in all of my Firefox-family browsers. Session Replay is just *creepy*.

      Apart from that, I only use Chrome for sites that don’t work in other browsers, so, you know…

    2. Martin Brinkmann said on February 5, 2018 at 9:45 am

      It is likely that many extensions land on user browser’s through third-party sites, e.g. displaying installation popups there.

      1. Paul's Dad. said on February 5, 2018 at 1:19 pm

        This is totally true. You need to have human oversight and eyes on the code if you’re gonna distribute extensions for your browser. Anything else results in stuff like this. Even eyes on the code result in stuff like this, but to a much lesser extent.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.