Story image

Fake Chrome extensions inject code into web pages

02 May 17

Recently, here at our research lab, we have seen an increase in the number of JS/Chromex.Submelius threats detected. In countries like Colombia, Peru, Ecuador and Chile, the detection levels for this particular threat have been as high as 30% or 40% of the total threats for the entire country.

This is a trojan that redirects the user’s browser to a specific URL, which contains another kind of malicious content. Given the high detection levels for this threat, which primarily targets Chrome, currently one of the most popular web browsers, we set out to find out how the threat is being propagated and how a user might fall into its trap.

Watch whatever you want … but get infected at the same time

We found one example of how this threat is being propagated on a popular website for watching movies online. In one of the options for watching the content, when the user decides they want to start playing a movie, an additional window opens in the browser:

Anyone who has ever visited this kind of website will find nothing particularly unusual about this, as new windows often pop up saying things like “a virus has been detected” or “earn money by working from home”. In this case though, the browser does not redirect to another page with an ad as usual, but goes to a website which then asks you to go to another URL … and the message won’t stop appearing until you click “Accept”.

This new redirection points to a download of an extension from the Chrome web store. The following screenshot shows what the browser’s address bar looks like before the extension is installed:

f the user accepts the download, a space appears next to the address bar with the extension icon, and, if you click on it, it takes you to a new page within the Chrome web store for a different extension. In this case, as you can see in the following screenshot, there are some recent comments saying the app is useless:

If the movie has started playing by this point, the user’s browser will have been infected. If we go and look at what extensions are installed in the browser, we find the one that was downloaded first, and we see that its permissions include reading and changing all your data on the websites that you visit. This leaves an open window so that when the user visits any website some code is injected into it:

Then, while the user is browsing the internet, they will suddenly see new windows opening up with information about their system, taking them to other websites containing downloads of malicious code, advertising, or other kinds of content. This becomes an endless loop, which ultimately will benefit whoever is behind the fraudulent extension.

What can you do if you have downloaded the extension?

If you have downloaded this malicious extension you should remove it immediately from your Chrome browser. To do so, you can type “chrome://extensions” in the address bar and then, when you find the extension, simply delete it.

As a further precaution, you should also analyze your computer or device using a trustworthy security solution to rule out the possibility of having downloaded any other kind of threat to your machine.

As always, it is very important to be careful before clicking on anything and pay close attention to all websites you visit, especially if they ask you to download extensions. We have already seen other campaigns associated with YouTube, Facebook, and other websites that have worked in similar ways.

So, we can see that this kind of campaign is by no means an isolated case. In fact, there is a whole structure of redirection, which we will look at in more technical detail in a future article.

Article by Camilo Gutiérrez Amaya, head of Awareness and Research, ESET.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.