28 Malicious Browser Extensions Are Installed On Millions Of Devices, Research Found

Chrome Web Store, Edge Add-ons

Browser extensions are meant to "extend" the functionalities and capabilities of browsers. But not all of them are made for a good cause.

In a research by security firm Avast, it was reported that more than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code that can compromise privacy and security.

According to its research, the 28 extensions contained code that could perform several malicious operations, including:

  • Redirecting user traffic to ads.
  • Redirecting user traffic to phishing websites.
  • Collecting users' personal data.
  • Collecting users' browsing history.
  • Download more malware to be installed on users' devices.

The many millions that fell as victims were because the malicious code is present on extensions popular for services like Instagram, Facebook, Vimeo and others.

On its report page, Avast said that:

"The extensions which aid users in downloading videos from these platforms include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, and other browser extensions on the Google Chrome Browser, and some on Microsoft Edge Browser. The researchers have identified malicious code in the Javascript-based extensions that allows the extensions to download further malware onto a user’s PC."

"Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites."

Detailing what the malicious code does, Avast said that when users click on a link on a site using a browser with the malicious extension installed, the extension will send the information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL.

The threat actors can also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses.

Because most the attempts are to redirect to third-party domains, ads and phishing sites, the researchers believe the objective behind the malicious extensions is to monetize victims' traffic.

"For every redirection to a third party domain, the cybercriminals would receive a payment. Nonetheless, the extension also has the capability to redirect the users to ads or phishing sites," the researchers concluded.

Instagram Download Video & Image by Lisa Mason, one of the 28 extensions that have malicious code.
Instagram Download Video & Image by Lisa Mason, one of the 28 extensions that have malicious code.

Below is the list of Chrome extensions that contain malicious code, according to Avast:

  1. Direct Message for Instagram.
  2. DM for Instagram.
  3. Invisible mode for Instagram Direct Message.
  4. Downloader for Instagram.
  5. App Phone for Instagram.
  6. Stories for Instagram.
  7. Universal Video Downloader.
  8. Video Downloader for FaceBook™.
  9. Vimeo™ Video Downloader.
  10. Zoomer for Instagram and FaceBook.
  11. VK UnBlock. Works fast.
  12. Odnoklassniki UnBlock. Works quickly.
  13. Upload photo to Instagram™.
  14. Spotify Music Downloader.
  15. The New York Times News.

Below is the list of Edge extensions that contain malicious code, according to Avast:

  1. Direct Message for Instagram™.
  2. Instagram Download Video & Image.
  3. App Phone for Instagram.
  4. Universal Video Downloader.
  5. Video Downloader for FaceBook™.
  6. Vimeo™ Video Downloader.
  7. Volume Controller.
  8. Stories for Instagram.
  9. Upload photo to Instagram™.
  10. Pretty Kitty, The Cat Pet.
  11. Video Downloader for YouTube.
  12. SoundCloud Music Downloader.
  13. Instagram App with Direct Message DM.

“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, Malware Researcher at Avast.

The Avast Threat Intelligence team started monitoring this threat in November 2020, but they believe that the campaign could have been around for years without anyone noticing.

This happens because the malware has been difficult to spot with its ability to "hide itself".

According to Avast malware researcher, Jan Vojtěšek, "the virus detects if the user is googling one of its domains or, for instance, if the user is a web developer and, if so, won't perform any malicious activities on their browsers. It avoids infecting people more skilled in web development, since they could more easily find out what the extensions are doing in the background."

Avast has reported its findings to both Google and Microsoft.