Security researchers recently identified more than 30 malicious extensions that had made their way into the Chrome web store, potentially infecting millions.
After being tipped off that another extension was also making requests to the same third-party website, namely serasearchtop[.]com, the researcher discovered two more versions of the code (including one connecting to tryimv3srvsts[.]com) and a total of 34 extensions containing it, in the Chrome web store.
Overall, the identified extensions showed an install base of roughly 87 million users, with the most popular of them being Autoskip for Youtube (9 million users), Soundboost (7 million), Crystal Ad block (6 million), and Brisk VPN (5 million).
Most of the identified extensions had more than one million downloads each, but it is possible that these numbers were artificially inflated.
According to cybersecurity firm Avast, which identified 32 malicious extensions with a total of 75 million combined installs, the number of reviews these extensions had in the Chrome web store was suspiciously low compared to the number of installs.
“What’s more, we found that the number of people who encountered the threat isn’t proportional to the number of installs from the Chrome Web Store,” Avast says.
What is alarming, however, is the large number of extensions that were found to contain the obfuscated code. According to Avast, aside from the 32 extensions it identified, 50 more were removed from the Chrome web store on the same grounds.
The purpose of the malicious code appeared related to displaying unwanted ads and hijacking search results to display sponsored links, but the security researchers have yet to analyze the full scope of the attack.
Google has removed all the malicious extensions from the Chrome web store.