New Polymorphic Chrome extensions fake others to steal your data
We have seen our fair share of malicious Chrome extensions in the past 17 or so years since Google released the initial version of its browser. From fake VPN extensions and outright malicious extensions to sophisticated session replay malware.
This is what happened: a new malicious type of extension, called polymorphic extension, is currently used to attack users in the wild.
What is a polymorphic extension? A malicious extension that fakes the icon and behavior of other extensions to steal user data.
Polymorphic extensions behave like legitimate extensions on first glance. They look like harmless extensions that provide some functionality. Their true purpose is to fake other extensions installed in the user's browser to steal data.
Fake other extensions, to gain access to user data
Security researchers at SquareX Labs discovered the new type of malware. The basic process is always the same. It begins with the installation of the legitimately looking, but malicious Chrome extension. This may happen via the official Chrome Web Store or through other channels.
The extension prompts the user to pin its icon to the Chrome toolbar. Many extensions request that, as it provides faster access to the functionality.
While the extension works as advertised, it scans for high-value extensions installed by the user. These can be password managers, financial extensions, or any other type of extension that may provide access to valuable data.
While Chrome prevents extensions from enumerating other installed extensions, techniques exist to overcome these limitations. One way, according to the researchers, is to check for certain web resources that the target extensions use.
Once extensions have been found, malicious code is executed to impersonate the legitimate extension. The researchers give an example of a password manager extension that is attacked.
When the user visits a webpage with a login form, the malicious extension is disabling the password manager temporarily and impersonating the password managers icon on the Chrome toolbar. A HTML prompt requests a new login to the password manager, that looks like it came from the password manager.
When the user enters the authentication information, it is passed to the threat actor. The malicious extension changes its icon again and enables the password manager again. When re-enabled, the legitimate password manager fills out the password fields to sign the user in, making it difficult to detect what just happened.
With the credentials in hand, the threat actor may access the user's password vault to obtain data.
The researchers highlight several key attacks that may be executed using polymorphic extensions:
- Unauthorized transfer of cryptocurrencies using crypto wallets
- Unauthorized transactions using banking apps
- Unauthorized access to monitor, write and send confidential documents/ emails with productivity tools (e.g. grammar checkers, automation tools)
- Unauthorized access to read and modify code base via developer tools
SquareX informed Google about this new type of malicious extension. While there is no direct defense against polymorphic extensions, users may verify Chrome extensions before they install them.
Another option is to use different profiles or even browsers for different activities. Use one browser or profile for tasks that demand the highest security. This separates the activity from regular browsing sessions to increase security.
Now it is your turn. Do you verify extensions before you install them? Let us know in the comment section below.
I forget to add that you can view extension source code with CRX VIEWER for firefox and chrome. I wish mozilla would add a way to see the changes to the extension source code…. though.
I grew up when adware and spyware was generally frowned upon. I had stylish extension and then they sold out to an advertising company and were stealing user history. So naturally I weary of extensions for applications and third party applications in general.
it’s funny how google had textual ads they were actually the least obnoxious and intrusive form of ads. then came targeted ads with tracking and all that changed for the worse. a company like google that has essentially normalized and endorses adware and spyware on their mobile platform has a massive problem with malware. They just provide a false premise of being safe when they are not.
I’m kind of glad there is bait to feed to slime as bad as that sound. at least I and others who Ive associated with get to enjoy a slimmer of ad-free/malware free experience. If people were “smarter” with tech how far would criminals have to go to reach them you have to wonder.
Use Zero trust, like Thanquol squeak-say do, yes-yes! Triple check always good sources of clean code (verify) or you may get case of bad fleas-bug-things in compute box.
Maybe Martin thinks chromium most dirty and bloated browser engine from midden-sewer. Polymorphic Chrome, very bad news; like thief-steal in night of token-coin.
Don’t blindly install extensions that order-tell you what to do, or ones that have silly names. Think first, not like dumb AI bot agencies’ work, no brain to them either, and their scribble scribbles on here.
Have will, like mallet, bludgeon sense into fool-friends. Tell them who true master is; extension (nor Chrome) should not be master, no no. Check settings-privileges always, obey-follow my instructions to stay quick-sharp and pointy.
Google wants to get fat on gathering data; always… a most fat vile Marketing-monster, praying on man-things – those with vulnerable minds, like those weirdroot addicts, yes-yes… 💰 So they being addled do stupid-dumb action download-install such wicked things. All because some fools-clueless, are blindly trusting Google website to be safe, and such fake extension adverts.
I never understood why Google is so lax with the security of its Chrome extensions. Not concerned personally given I avoid Google products, services, servers like the plague they are. The company’s Manifest V3 emphasizes on extensions’ security to argument its restrictions yet yawns when it comes to malware infection regarding extensions it hosts. I guess their philosophy is that contradictions vanish when profit is the master.
Add to the equation that the very second Chrome removed uBlock Origin, the browser became a virus & malware magnet. Way to go Google. We must remember though: Google’s money first, Google’s control second, user safety third and after that MAYBE user friendliness. I, as an average user, have other priorities: Google not making money from me, Google losing control second, user safety third.
I will be very curious to see if Chrome usage will drop and Firefox will rise under the current circumstances of Google neutering content blocking extensions and Firefox finally admitting to harvesting, stealing and selling the data of their users.
I’m using Brave as my main browser, on desktop extensions, namely uBlock Origin still works and installs without any issues or notifications saying it’s about to not be supported soon, on my phone Brave blocks undesirable content reasonably well. When I open YouTube or Google in Incognito, it automatically hides the prompts where you have to agree or refuse to give your data, which I think not even uBlock Origin does on its own, only some cosmetic elements remain unblocked, but I haven’t bothered adding custom filters as it works fine.
Even if uBlock Origin stops working on Brave, the bult-in blocking will suffice so I’m not concerned with these developments.
I’m looking forward to see the emerging rendering engines not based on Blink or Gecko taking shape and will they become viable and a competition to Blink, but for now I’ve found things that work for me and I’m content.
Thanks for the update Martin,
this is a really sneaky one. Chrome extensions remain a massive attack surface.