Google removed dozens of malicious extensions from its Chrome Web Store after a cybersecurity firm uncovered a “massive global surveillance campaign” that was recently targeting users of the popular internet browser.
This search engine hegemon owned by Alphabet told Reuters more than 70 suspicious add-ons were extinguished from its browser after the issue was raised by Awake Security, a Santa Clara, California-based cybersecurity firm that uses artificial intelligence to hunt for threats.
Researchers at Awake Security found there had been at least 32,962,951 downloads of “malicious or fake” extensions, more than 100 add-ons total, as of May 2020.
According to Newsweek, the team alleged unknown attackers’ infrastructure was relying on web domains from a single registrar in Israel: CommuniGal Communication Ltd., or GalComm.
Awake Security wrote in a blog: “In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions.
“These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords).”
Of 26,079 accessible domains registered through GalComm, researchers found almost 60 percent (15,160) were malicious or suspicious, hosting malware or browser-spying tools. The domains, which used evasion techniques, have been published online.
Most of the free add-ons claimed to warn users about suspicious websites or posed as file-conversion software, but were in fact stealing data.
Google spokesperson Scott Westover told Reuters: “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”
Gary Golomb, co-founder and chief scientist of Awake Security, said it was one of the most “far-reaching” Chrome store campaigns ever seen, GalComm owner Moshe Fogel told Reuters via email his firm was not involved in nefarious activity.
In its statement about the campaign, Awake Security’s research team described the attack as an “equal opportunity spying effort” because it did not appear to have been targeted. It accused GalComm of “exploiting the trust placed in it as a domain registrar.”
Google spokesperson Scott Westover said in a statement provided to CNN Business. “We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”
Google Chrome extensions were linked to cyberattacks in the past, including as recently as February this year. The company has taken several steps to improve the browser’s privacy and security protections, Westover said.
“In addition to disabling the accounts of developers that violate our policies, we also flag certain malicious patterns we detect in order to prevent extensions from returning,” he added.