palant.info
Open in
urlscan Pro
2a01:4f8:c0c:3e12::2
Public Scan
URL:
https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/
Submission: On June 12 via api from DE — Scanned from DE
Submission: On June 12 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
<form id="search" class="search" role="search">
<label for="search-input"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" class="icon search-icon">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</svg></label>
<input type="search" id="search-input" class="search-input">
</form>POST #
<form id="comments-form" action="#" method="POST" data-path="articles/more-malicious-extensions-in-chrome-web-store/">
<h4>Leave a comment</h4>
<div class="comments-form-header">
<div>
<label for="name">Name <span class="required" title="Required">*</span></label><br>
<input name="name" autocomplete="name" class="comment_name_input" id="name" type="text" size="32" required="" value="">
</div>
<div>
<label for="email">Email</label><br>
<input name="email" autocomplete="email" class="comment_email_input" id="email" type="email" size="32" value=""><br>
<span class="note">Only if you want to be notified about my reply.</span>
</div>
<div>
<label for="web">Website</label><br>
<input name="web" autocomplete="url" placeholder="https://" class="comment_web_input" id="web" type="url" size="32" value="">
</div>
</div>
<p>
<label for="message">Message <span class="required" title="Required">*</span></label>
<span class="note message-note">You can use <a rel="nofollow" href="https://www.markdownguide.org/basic-syntax/">Markdown syntax</a> here.</span><br>
<textarea id="message" name="message" cols="64" rows="8" required="required"></textarea><br>
</p>
<p id="comment-submit">
<span class="explanation">By submitting your comment, you agree to your comment being published here under the terms of the
<a href="http://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>.</span>
<button type="submit">Submit</button>
</p>
<input name="uri" type="hidden" value="/2023/05/31/more-malicious-extensions-in-chrome-web-store/">
</form>Text Content
Almost Secure * Home * Articles * Categories * About * * Read More » MORE MALICIOUS EXTENSIONS IN CHROME WEB STORE 2023-05-31 security/privacy/add-ons/google 5 mins 8 comments Two weeks ago I wrote about the PDF Toolbox extension containing obfuscated malicious code. Despite reporting the issue to Google via two different channels, the extension remains online. It even gained a considerable number of users after I published my article. A reader tipped me off however that the Zoom Plus extension also makes a request to serasearchtop[.]com. I checked it out and found two other versions of the same malicious code. And I found more extensions in Chrome Web Store which are using it. So now we are at 18 malicious extensions with a combined user count of 55 million. The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively. Update (2023-06-01): With an increased sample I was able to find some more extensions. Also, Lukas Andersson did some research into manipulated extension ratings in Chrome Web Store and pointed out that other extensions exhibited similar patterns in their review. With his help I was able to identify yet another variant of this malicious code and a bunch more malicious extensions. So now we are at 34 malicious extensions and 87 million users. Update (2023-06-02): All but eight of these extensions have been removed from Chrome Web Store. These eight extensions are considerably different from the rest, so I published a follow-up blog post discussing the technical aspects here. CONTENTS * The extensions * The malicious code * What does it actually do? THE EXTENSIONS So far I could identify the following 34 malicious extensions. Most of them are listed as “Featured” in Chrome Web Store. User counts reflect the state for 2023-05-30. Update (2023-06-12): The complete list of extension IDs from this article series can be found here. This repository also contains the check-extensions command-line utility which will search local browser profiles for these extensions. Name Weekly active users Extension ID Autoskip for Youtube 9,008,298 lgjdgmdbfhobkdbcjnpnlmhnplnidkkp Soundboost 6,925,522 chmfnmjfghjpdamlofhlonnnnokkpbao Crystal Ad block 6,869,278 lklmhefoneonjalpjcnhaidnodopinib Brisk VPN 5,595,420 ciifcakemmcbbdpmljdohdmbodagmela Clipboard Helper 3,499,233 meljmedplehjlnnaempfdoecookjenph Maxi Refresher 3,483,639 lipmdblppejomolopniipdjlpfjcojob Quick Translation 2,797,773 lmcboojgmmaafdmgacncdpjnpnnhpmei Easyview Reader view 2,786,137 icnekagcncdgpdnpoecofjinkplbnocm PDF toolbox 2,782,790 bahogceckgcanpcoabcdgmoidngedmfo Epsilon Ad blocker 2,571,050 bkpdalonclochcahhipekbnedhklcdnp Craft Cursors 2,437,224 magnkhldhhgdlhikeighmhlhonpmlolk Alfablocker ad blocker 2,430,636 edadmcnnkkkgmofibeehgaffppadbnbi Zoom Plus 2,370,645 ajneghihjbebmnljfhlpdmjjpifeaokc Base Image Downloader 2,366,136 nadenkhojomjfdcppbhhncbfakfjiabp Clickish fun cursors 2,353,436 pbdpfhmbdldfoioggnphkiocpidecmbp Cursor-A custom cursor 2,237,147 hdgdghnfcappcodemanhafioghjhlbpb Amazing Dark Mode 2,228,049 fbjfihoienmhbjflbobnmimfijpngkpa Maximum Color Changer for Youtube 2,226,293 kjeffohcijbnlkgoaibmdcfconakaajm Awesome Auto Refresh 2,222,284 djmpbcihmblfdlkcfncodakgopmpgpgh Venus Adblock 1,973,783 obeokabcpoilgegepbhlcleanmpgkhcp Adblock Dragon 1,967,202 mcmdolplhpeopapnlpbjceoofpgmkahc Readl Reader mode 1,852,707 dppnhoaonckcimpejpjodcdoenfjleme Volume Frenzy 1,626,760 idgncaddojiejegdmkofblgplkgmeipk Image download center 1,493,741 deebfeldnfhemlnidojiiidadkgnglpi Font Customizer 1,471,726 gfbgiekofllpkpaoadjhbbfnljbcimoh Easy Undo Closed Tabs 1,460,691 pbebadpeajadcmaoofljnnfgofehnpeo Screence screen recorder 1,459,488 flmihfcdcgigpfcfjpdcniidbfnffdcf OneCleaner 1,457,548 pinnfpbpjancnbidnnhpemakncopaega Repeat button 1,456,013 iicpikopjmmincpjkckdngpkmlcchold Leap Video Downloader 1,454,917 bjlcpoknpgaoaollojjdnbdojdclidkh Tap Image Downloader 1,451,822 okclicinnbnfkgchommiamjnkjcibfid Qspeed Video Speed Controller 732,250 pcjmcnhpobkjnhajhhleejfmpeoahclc HyperVolume 592,479 hinhmojdkodmficpockledafoeodokmc Light picture-in-picture 172,931 gcnceeflimggoamelclcbhcdggcmnglm Note that this list is unlikely to be complete. It’s based on a sample of roughly 1,600 extensions that I have locally, not all the Chrome Web Store contents. THE MALICIOUS CODE There is a detailed discussion of the malicious code in my previous article. I couldn’t find any other extension using the same code as PDF Toolbox, but the two variants I discovered now are very similar. There are minor differences: * First variant masquerades as Mozilla’s WebExtension browser API Polyfill. The “config” download address is https://serasearchtop.com/cfg/<Extension_ID>/polyfill.json, and the mangled timestamp preventing downloads within the first 24 hours is localStorage.polyfill. * The second variant masquerades as Day.js library. It downloads data from https://serasearchtop.com/cfg/<Extension_ID>/locale.json and stores the mangled timestamp in localStorage.locale. Both variants keep the code of the original module, the malicious code has been added on top. The WebExtension Polyfill variant appears to be older: the extensions using it usually had their latest release end of 2021 or early in 2022. The extensions using the Day.js variant are newer, and the code has been obfuscated more thoroughly here. The extension logic remains exactly the same however. Its purpose is making two very specific function calls, from the look of it: chrome.tabs.onUpdated.addListener and chrome.tabs.executeScript. So these extensions are meant to inject some arbitrary JavaScript code into every website you visit. WHAT DOES IT ACTUALLY DO? As with PDF Toolbox, I cannot observe the malicious code in action. The configuration data produced by serasearchtop[.]com is always empty for me. Maybe it’s not currently active, maybe it only activates some time after installation, or maybe I have to be in a specific geographic region. Impossible to tell. So I went checking out what other people say. Many reviews for these extensions appear to be fake. There are also just as many reviews complaining about functional issues: people notice that these extensions aren’t really being developed. Finally, a bunch of Brisk VPN reviews mention the extension being malicious, sadly without explaining how they noticed. But I found my answer in the reviews for the Image Download Center extension: So it would seem that at least back in 2021 (yes, almost two years ago) the monetization approach of this extension was redirecting search pages. I’m pretty certain that these users reported the extension back then, yet here we still are. Yes, I’ve never heard about the “Report abuse” link in Chrome Web Store producing any result. Maybe it is a fake form only meant to increase customer satisfaction? There is a similar two years old review on the OneCleaner extension: Small correction: the website in question was actually called CharmSearching[.]com. If you search for it, you’ll find plenty discussions on how to remove malware from your computer. The domain is no longer active, but this likely merely means that they switched to a less known name. Like… well, maybe serasearchtop[.]com. No proof, but serasearchtop[.]com/search/?q=test redirects to Google. Mind you: just because these extensions monetized by redirecting search pages two years ago, it doesn’t mean that they still limit themselves to it now. There are way more dangerous things one can do with the power to inject arbitrary JavaScript code into each and every website. SEE ALSO: * Another cluster of potentially malicious Chrome extensions * Introducing PCVARK and their malicious ad blockers * How malicious extensions hide running arbitrary code * Malicious code in PDF Toolbox extension * Online Security extension: Destroying privacy for no good reason COMMENTS * Jeroen 2023-06-01 07:44 Thanks for your interesting article (and the other ones too!). I noticed the same things in extensions. I also discovered two plugins which inserted malicious code on facebook, pinterest and other social media websites, that sends stuff back to 'home'. Another plugin had become a giant affiliate-tracker, which rewrote urls of a bunch a of ecommerce sites to include their own affiliatecode to make money. I believe this last one was a screenshot extension. I also contacted Google multiple times through multiple channels, but there was no reply whatsoever. Only when I replied to a warning-email about one of my own extensions (I had to update my privacy policy) I finally got a human response. Then I addressed the issue that I found on the screenshot extension. Finally, after emailing a bit, they even took the extension offline. So there actually are some employees who care about the users, but it seems that the formal channels to report something are not (very actively) monitored or responded too. * Lukas 2023-06-01 11:37 Very interesting find! I'm currently working on a project where I try to detect reputation manipulation in the Chrome store and construct clusters of extensions with similar patterns of seemingly faked or incentivized reviews. 16 out of 18 of the extensions you mentioned are flagged in my project as suspected targets of reputation manipulation; when tracing back through the clusters created of the said 16 extensions, another 40 extensions are flagged for having similar suspected reputation manipulation, indicating the same group or individual is behind the action. * RatoGBM 2023-06-01 12:24 I actually had Font Customizer installed, thanks. I myself actually found an interesting extension called NoteTab, it changes your default search engine to their own that basically sends your query to the server just to be redirected to bing.com. Wladimir Palant 2023-06-01 12:34 Yes, NoteTab changes the default search engine by “official” means. This is clearly something that can and should be indicated during installation, but for some reason I can see no such warning. * Anonysafe 2023-06-01 12:54 Thanks for keeping us safe, Google * Dominic Hébert 2023-06-01 15:04 Is it the same problem with Microsoft Edge Chromium based? Wladimir Palant 2023-06-01 15:20 Yes, at least some of these extensions are available via Microsoft’s Edge Add-ons site – then with a different extension ID. Also, from what I know Edge users can install extensions from Chrome Web Store. * Denis 2023-06-06 21:53 Maybe you can write a small extension for Chrome that will look at the names of installed extensions in the browser and, if it is on your list of malicious ones, warn the user about it with a brief description (for example, tracks user actions, opens hidden tabs to cheat visits, and so on)? And then the user himself decides to delete the extension or not. Wladimir Palant 2023-06-07 04:47 Actually, this already exists. It’s even built into the browser: Google Safe Browsing. It only needs to be used with these extensions… * Martin Valjavec 2023-06-07 08:59 Is this similar to (or in any way related to) the problems mentioned here: https://support.google.com/chrome/thread/51051721?hl=en&msgid=51197424&sjid=12606283519512000092-EU I guess, this means at least that Google had info earlier on that "something strange" is happening. Wladimir Palant 2023-06-07 09:09 No. I checked out that Downloader for Instagram extension (no longer on Chrome Web Store, downloaded it elsewhere), it’s different code and not related. * Denis 2023-06-07 11:25 Can I have a link to your extension in the store? Wladimir Palant 2023-06-07 11:40 I’m not talking about an extension, it’s a browser feature. Google merely has to activate it for these extensions. LEAVE A COMMENT Name * Email Only if you want to be notified about my reply. Website Message * You can use Markdown syntax here. By submitting your comment, you agree to your comment being published here under the terms of the Creative Commons Attribution-ShareAlike 4.0 International License. Submit * * * * * Impressum Privacy Policy Content under CC BY-SA 4.0 license Powered by Hugo | Theme is MemE