Trend Micro security researchers identified 89 different malicious extensions for Google Chrome that use Session Replay functionality to log user activity while using the browser.
Session Replay scripts are analytics scripts that record user activity on websites. Companies use it to understand what users do on their sites by recording mouse movement, keyboard input and other interactions with the page in question.
Research suggests that nearly 1% of the top 50,000 Alexa websites use Session Replay scripts including WordPress, Microsoft, Adobe, Godaddy or Softonic.
Trend Micro detected 89 different Chrome extensions with Session Replay functionality in the Chrome Web Store. All extensions that Trend Micro detected used randomized names such as Air Plant Holder, Applesauce Christmas Ornaments or Cuban Sandwich.
The script records user activity and since it is browser-based and not page-based, can do so on any website the user visits. Session Replay scripts may record Credit Card numbers, addresses, bank account information, social security numbers, names, and pretty much anything else a user enters on websites.
While scripts are designed not to record passwords, research showed in the past that this might happen also.
All extensions have in common that they use the Session Replay script from Yandex to record user activity, and Trend Micro believes that they are operated by the same group which it named Droidclub.
The company released a PDF document that lists all Chrome extensions and domains that it associates with Droidclub.
Bleeping Computer reports that the extensions used command and control servers. Droidclub used the servers to inject advertising on pages visited by users, and older versions deployed the Coinhive crypto jacking script, so the site.
A quick check on the Chrome Web Store revealed that all extensions on the list that I checked are no longer listed. Nearly 425,000 users installed the extensions, however.
The Chrome Web Store does not come to rest when it comes to malicious extensions. Google announced some time ago that it wanted to improve the security but nothing has come out of it yet.
Now You: Do you vet extensions before you install them?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.