Google has removed 5 malicious browser extensions from its Chrome Web Store that were downloaded collectively more than 1.4 million times.
Threat analysts at McAfee discovered that these browser extensions that masqueraded as Netflix viewers and others were designed to surreptitiously monitor the browsing activities of the users.
The Chrome browser add-ons in questionย are as follows:
- Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads
- Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads
- FlipShope โ Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 downloads
- Full Page Screenshot Capture โ Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads
- AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads
These extensions offered various functionsย such asย enabling users to watch Netflix shows together, website coupons,ย andย taking screenshots of a website.ย The latter borrowed several phrases from another popular extension calledย GoFullPage.
Besides offering the intended functionality, the extensions also tracked the userโs browsing activity.ย According to McAfee, every website a user visited was sent to servers owned by the extension creator so that they could insert code into eCommerce websites being visited. This action then modified the cookies on the site so that the extension authors received affiliate payment for any items purchased.
“The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of theย extensionย authors,” the McAfee researchers wrote in their blog post.
How Did The Extensions Work?
All 5 extensions perform similar behavior.ย The web app manifest (“manifest.json”ย file) sets the background page as bg.html, which loads B0.js (multifunctional script) that sends theย browsing data to a domain the attackers control (โlanghort[.]comโ).
The data is delivered via POST requests every timeย the user visits a new URL. The information includes theย URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL.
Upon receiving the URL, langhort.com matches any entries on a listย of websites that it has an affiliate ID for,ย andย ifย it does, the server responds to B0.js with one of the two possible functions.
The first function is, โResult[โcโ] โ passf_url โ, which will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the visited website.
The second function, โResult[โeโ] setCookieโ, orders B0.js to also modify a cookie or replace it with the provided one to perform certain actions if the extension has been granted with the associated permissions.
McAfee has also published a video that showcases how the URL and cookie modifications occur in real-time:
To evade analysis and prevent malicious activity from being identified in automated analysis environments, some of the extensions featured a delay of 15 days from the time of their installation to avoid raising red flags before they could start sending out the browser activity.
At the time of writing, all 5 malicious Chrome extensions have been removed from the Google Play Store. However, this does not delete them from the web browsers. Hence, users are recommended to manually uninstall them from their devices.
