Posted on December 18, 2020 at 4:57 PM
A recent report revealed that about three million internet users could have installed 13 Edge and 15 Chrome extensions containing malicious code. The Avast security firm said the extension could redirect users to phishing sites, ads, collect browser history, or download other malware onto the user’s device.
The researchers said the browser extensions believed to have been infected include Vimeo, Facebook, and Instagram.
Avast revealed that the malware could send user traffic and capable of stealing personal data like email addresses, birthdays, and active devices.
The malicious extension claims to provide download ease for users when downloading videos from different sources. It includes video Downloader for VK Unblock, Instagram Story Downloader, Vimeo Video Downloader, Facebook, and other extensions for Edge and Facebook.
When the click on the link, the extension passes details of the user’s browsing activities to the control server of the hacker. From the server, a command is sent the extension, redirecting the user’s server to a seized URL before taking them back to the site they intend to visit.
Hijacking user traffic for financial gains
The Avast researches believe the malicious actors aim to hijack user traffic for financial gains, despite the presence of code of power on the malicious features.
“For every redirection to a third party domain, the cybercriminals would receive a payment,” Avast said.
Avast also pointed out that the extensions were discovered last month, but some of them have been operational since December 2018, which was when the users began reported redirection issues.
A malware researcher at Avast Jan Rubin said the research team could not say whether the extensions were added with the malware from the onset or whether the codes were added during an update.
The malware hides effectively
The researchers also warned that the malware can stay under the radar ad avoid being detected and subsequent removal. Avast also said the extensions are still available for download, although the Google Chrome and Microsoft team have been notified
The researchers said there is a possibility the extension were infected during their popularity stages. And several extensions with few installs have become very popular having several tens of thousands of installs.
Most of them became popular by fronting as add-ons to help users easily download multimedia content from different social media websites such as Spotify, Facebook, Vimeo, and Instagram.
However, Google was didn’t reply immediately when it was contacted for additional information about the situation or status of its investigation.
On the other hand, Microsoft said it’s still investigating the incident.
24 hours after Avast’s findings were published, there were still 12 Chrome extensions, which means only 3 were removed. For the Edge add-ons, all were still available for download. A close source to the situation revealed Microsoft has not confirmed the report by Avast.
Avast has recommended that since Microsoft and Google are still investigating the incident, users who have already installed the extensions should delete them as soon as possible. They can decide to reinstall after the investigation is over and the issues are fixed.
Some of the affected Edge extensions include
App Phone for Instagram, Direct Message for Instagram, SoundCloud Music Downloader, Stories for Instagram, Universal Video Downloader, Upload photo to Instagram, Vimeo™ Video Downloader, Volume Controller.
Below is a list of some of the affected Chrome extensions
App Phone for Instagram, Direct Message for Instagram, DM for Instagram, Downloader for Instagram, Invisible mode for Instagram, Spotify Music Downloader, Stories for Instagram, The New York Times News, and Universal Video Downloader.