Malicious Chrome extensions with Session Replay appear in Chrome Store
Trend Micro security researchers identified 89 different malicious extensions for Google Chrome that use Session Replay functionality to log user activity while using the browser.
Session Replay scripts are analytics scripts that record user activity on websites. Companies use it to understand what users do on their sites by recording mouse movement, keyboard input and other interactions with the page in question.
Research suggests that nearly 1% of the top 50,000 Alexa websites use Session Replay scripts including WordPress, Microsoft, Adobe, Godaddy or Softonic.
Chrome extensions with Session Replay
Trend Micro detected 89 different Chrome extensions with Session Replay functionality in the Chrome Web Store. All extensions that Trend Micro detected used randomized names such as Air Plant Holder, Applesauce Christmas Ornaments or Cuban Sandwich.
The script records user activity and since it is browser-based and not page-based, can do so on any website the user visits. Session Replay scripts may record Credit Card numbers, addresses, bank account information, social security numbers, names, and pretty much anything else a user enters on websites.
While scripts are designed not to record passwords, research showed in the past that this might happen also.
All extensions have in common that they use the Session Replay script from Yandex to record user activity, and Trend Micro believes that they are operated by the same group which it named Droidclub.
The company released a PDF document that lists all Chrome extensions and domains that it associates with Droidclub.
Bleeping Computer reports that the extensions used command and control servers. Droidclub used the servers to inject advertising on pages visited by users, and older versions deployed the Coinhive crypto jacking script, so the site.
A quick check on the Chrome Web Store revealed that all extensions on the list that I checked are no longer listed. Nearly 425,000 users installed the extensions, however.
The Chrome Web Store does not come to rest when it comes to malicious extensions. Google announced some time ago that it wanted to improve the security but nothing has come out of it yet.
Now You: Do you vet extensions before you install them?
- Another Chrome extension horror story: coinhive and domain registration
- Chrome has a massive copycat extensions problem
- Google promises better protection against deceptive Chrome inline installations
- Google pulls crypto-mining Chrome extension Archive Poster
- Security firm ICEBRG uncovers 4 malicious Chrome extensions