From Torrents to Trojans: The Infiltration of 1.5 Million Devices by Shady Chrome Extensions

Three tricky Chrome extensions, pretending to be VPNs, snuck into 1.5 million devices, playing both browser tricksters and data grabbers.

The name of those extensions include, netPlus (with 1 million installs), netSave, and netWin (500,000 installs), cleverly hid in an installer tucked into pirated versions of hot video games like Grand Theft Auto, Assassins Creed, and The Sims 4, floating around on torrent sites.

ReasonLabs, the watchful eye, quickly informed Google about these sneaky behaviors, and they got kicked out of the Chrome Web Store. But not before leaving a mark with 1.5 million downloads. Their main target? Russian-speaking users, with most infections popping up in Russia, Ukraine, Kazakhstan, and Belarus.

These crooky extensions slide in through a sly electron app in the installation process, weighing in between 60MB to 100MB, cunningly hidden in over a thousand sneaky torrent files. Installation happens quietly at the registry level, automatic and mandatory, so users don't have to lift a finger.

Checking out the code reveals these browser extensions can do a lot, taking control of "tabs," "storage," "proxy," "webRequest," and more. They pretend to be legit VPNs, with a paid option and a realistic look to fool you.

Taking advantage of the 'offscreen' permission, the bad actors can quietly mess with the web page's insides, running scripts and pulling strings. With all this access, they can swipe your secrets, hijack your browser, and even shut down other extensions you've installed.

What's interesting is they're not picky. These extensions mess with over 100 money-saving and coupons related extensions, like Avast SafePrice, AVG SafePrice, Honey, and more. They chat with command and control servers, swapping info, figuring out who's who, and quietly lifting sensitive stuff.

This report shouts about how risky browser extensions can be, always hiding their true selves. Checking your extensions and peeking at Chrome Web Store reviews can help dodge these digital tricks. Keep your eyes peeled, readers.

ReasonLabs detects malware in Chrome extensions, alerts Google, but 1.5M downloads occur before removal.

Read next: Android Users Warned After Infamous Chameleon Banking Trojan Re-Emerges In New Version
Previous Post Next Post