Google has removed 34 malicious browser extensions from its Chrome Web Store that collectively had a download count of 87 million. Although these extensions featured legitimate functionality, they could modify search results and push spam or unwanted ads.
Last month, an independent cybersecurity researcher Wladimir Palant discovered a browser extension called ‘PDF Toolbox’ (2 million downloads) for Google Chrome that had a cleverly disguised obfuscated code to keep users unaware of their potential risks.
Chrome Web Store Removes 34 Malicious Extensions With 87 Million Downloads
The researcher analyzed the PDF Toolbox extension and published a detailed report on May 16. He explained that the code was made to look like a legitimate extension API wrapper. But, unfortunately, this code allowed the “serasearchtop[.]com” website to inject arbitrary JavaScript code into every webpage a user viewed.
According to the report, the potential abuses include hijacking search results to display sponsored links and paid results, even offering malicious links at times, and stealing sensitive information. However, the code’s purpose remained unknown, as Palant did not detect any malicious activity.
The researcher also found that the code was set to activate 24 hours after installing the extension, which points towards malicious intentions, the report mentioned.
In a follow-up article posted on May 31, 2023, Palant wrote that he had found the same malicious code in another 18 Chrome extensions with a total download count of 55 million on the Chrome Web Store.
Continuing his investigation, Palant found two variants of the code that were very similar but with minor differences:
- The first variant masquerades as Mozilla’s WebExtension browser API Polyfill. The “config” download address is https://serasearchtop.com/cfg/<Extension_ID>/polyfill.json, and the mangled timestamp preventing downloads within the first 24 hours is localStorage.polyfill.
- The second variant masquerades as Day.js library. It downloads data from https://serasearchtop.com/cfg/<Extension_ID>/locale.json and stores the mangled timestamp in localStorage.locale.
However, both variants keep the exact arbitrary JS code injection mechanism involving serasearchtop[.]com.
While the researcher did not observe the malicious code in action, he noted several user reports and reviews on the Web Store indicating that the extensions were hijacking search results and randomly re-directing them elsewhere.
Although Palant reported his findings to Google, the extensions remained available in the Chrome Web Store. Only after cybersecurity company Avast confirmed the malicious nature of the Chrome extensions they were taken offline by the search giant.
Palant had listed 34 malicious extensions on his website, with a total download count of 87 million. As of date, all these malicious extensions have been removed by Google from the Chrome Web Store. However, this does not automatically deactivate or uninstall them from their web browsers. Hence, users are recommended to uninstall them from their devices manually.
