Most of the dangerous extensions disguised themselves as ad blockers and were easily found by queries such as adblock, adguard, ublock, ad blocker, and so on. Extensions disguised as weather widgets and utilities for creating screenshots were also discovered. At the same time, in fact, 245 out of 295 extensions did not have any useful functionality for users and could only change the custom background for new tabs in Chrome.
All these extensions did not become malicious immediately: only after receiving the appropriate command from a remote server, they downloaded malicious code from fly-analytics.com, and then quietly injected ads into Google and Bing search results.
For example, some extensions checked which page they run on. If it was Bing or Google search results, the malware downloaded an image from the lh3.googleusrcontent.com domain. The researchers point out that this domain has nothing to do with Google, and the name is deliberately similar to confuse a potential observer. In the image uploaded in this way, ads are hidden using steganography, which the extension eventually embeds in the search results.
Other extensions used the cookie stuffing technique, that is, after receiving a command from the command and control server, they discreetly installed special "partner" cookies on the victim's machine. For example, if a user visited Booking.com, the attackers injected a "partner" cookie into the system, and when the user made a purchase, the author of the extension received a commission from Booking.com.
The researchers note that such fraudulent extensions share a number of common features, including:
- an extension downloaded more than 1,000,000 times cannot have 5-100 reviews in the Chrome Web Store;
- The fake ones use the source code of other ad blockers;
- such extensions have very short descriptions, maximum 2-3 paragraphs. They get to the top of search results in dishonest ways;
- malicious extensions use Google Tag Manager, which allows their operators to change the tag at any time and completely change the extension code.
Currently, Google experts are already studying the experts' report and are removing malware from the Chrome Web Store. Also, the removed extensions will be disabled in users' browsers and marked as malware.