Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

Google is hosting dozens of extensions in its Chrome Web Store that perform suspicious actions on the more than 4 million devices that have installed them and that their developers have taken pains to carefully conceal.

The extensions, which so far number at least 35, use the same code patterns, connect to some of the same servers, and require the same list of sensitive systems permissions, including the ability to interact with web traffic on all URLs visited, access cookies, manage browser tabs, and execute scripts. In more detail, the permissions are:

• Tabs: manage and interact with browser windows
• Cookies: set and access stored browser cookies based on cookie or domain names (ex., "Authorization" or "all cookies for GitHub.com")
• WebRequest: intercept and modify web requests the browser makes
• Storage: ability to store small amounts of information persistently in the browser (these extensions store their command & control configuration here)
• Scripting: the ability to inject new JavaScript into webpages and manipulate the DOM
• Alarms: an internal messaging service to trigger events. The extension uses this to trigger events like a cron job, as it can allow for scheduling the heartbeat callbacks by the extension
• :: This works in tandem with other permissions like webRequest, but allows for the extension to functionally interact with all browsing activity (completely unnecessary for an extension that should just look at your installed extensions)

These sorts of permissions give extensions the ability to do all sorts of potentially abusive things and, as such, should be judiciously granted only to trusted extensions that can’t perform core functions without them.

Dubious or suspicious

“At this point, this information should be enough for any organization to reasonably kick this out of their environment as it presents unnecessary risk,” John Tuckner, founder of browser extension analysis firm Secure Annex and the researcher who stumbled on the cluster of extensions, wrote in a post published Thursday. In an email, he said the only permission required for some extensions is management. “Some of the other extensions like the 'Browse Securey' might traditionally require more permissions like 'webRequest' to block malicious sites, but things like access to 'cookies' are definitely not needed across the full list,” he said.

The extensions share other dubious or suspicious similarities. Much of the code in each one is highly obfuscated, a design choice that provides no benefit other than complicating the process for analyzing and understanding how it behaves.

All but one of them are unlisted in the Chrome Web Store. This designation makes an extension visible only to users with the long pseudorandom string in the extension URL, and thus, they don’t appear in the Web Store or search engine search results. It’s unclear how these 35 unlisted extensions could have fetched 4 million installs collectively, or on average roughly 114,000 installs per extension, when they were so hard to find.

Additionally, 10 of them are stamped with the “Featured” designation, which Google reserves for developers whose identities have been verified and “follow our technical best practices and meet a high standard of user experience and design.”

One example is the extension Fire Shield Extension Protection, which, ironically enough, purports to check Chrome installations for the presence of any suspicious or malicious extensions. One of the key JavaScript files it runs references several questionable domains, where they can upload data and download instructions and code:

One domain in particular—unknow.com—is listed in the remaining 34 apps.

Tuckner tried analyzing what extensions did on this site but was largely thwarted by the obfuscated code and other steps the developer took to conceal their behavior. When the researcher, for instance, ran the Fire Shield extension on a lab device, it opened a blank webpage. Clicking on the icon of an installed extension usually provides an option menu, but Fire Shield displayed nothing when he did it. Tuckner then fired up a background service worker in the Chrome developer tools to seek clues about what was happening. He soon realized that the extension connected to a URL at fireshieldit.com and performed some action under the generic category “browser_action_clicked.” He tried to trigger additional events but came up empty-handed.

So Tuckner tried a new tactic. He found a configuration someone had uploaded years earlier to GitHub for Browse Securely for Chrome, another extension in his list (it has since changed its name to Secured Connection by Security Browse. The GitHub user who uploaded the file did so because they believed the extension was malicious.

When Tuckner loaded the unique ID for this extension into his installation of Fire Shield, it suddenly started sending a variety of events to the server that tracked user behaviors, such as what websites he was visiting, what sites had preceded that visit, and the size of his display screen. The researcher still hasn’t found proof that Fire Shield or any of the other extensions are malicious, but what he saw was enough to remove all reasonable doubt.

“While I could not find an instance of the extension exfiltrating credentials, this level of obfuscation, along with the ability for the extension’s configuration to be remotely controlled, and the capabilities in the browser extension’s code is enough for me to come to the same conclusion that all of these extensions include some kind of spyware or infostealer,” he wrote. “That is ultimately the problem and threat these extensions pose when they can be controlled remotely.”

The discovery serves as the latest reminder that there are real-world consequences to installing extensions for Chrome, Firefox, or any other browser, just as there are consequences for installing phone apps. Google, Apple, and others continually nudge us to install as many of these as we can. This is poor advice. Extensions and apps should be installed only when they provide a benefit that can’t be obtained otherwise. Even then, they should be installed only after reading recent reviews to see what kind of experiences others have had and looking into the developer. These steps are particularly important when installing extensions or apps from Google, given the much higher incidence of malice being reported over the past decade from its offerings.