Google Chrome extensions stole browsing data in widest-reaching malware campaign ever

The developers supplied fake contact information to Google, so it is unclear who is responsible

Adam Smith
Thursday 18 June 2020 10:42 EDT
Comments
Incognito Mode in Google Chrome may not be as private as you think
Incognito Mode in Google Chrome may not be as private as you think (AFP/Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Google Chrome has been used to transmit spyware, as 32 million downloads of extensions to the browser carried malicious add-ons according to researchers at Awake Security.

The researchers alerted Google, who removed over 70 pieces of software from its official Chrome Web Store.

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another.

Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.

It is the widest-reaching Chrome store campaign to date, according to Awake Security’s chief scientist Gary Colomb.

It is unclear who is responsible for this campaign, however, as developers supplied fake contact information when they submitted the extensions to Google.

The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains.

“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.

“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesperson Scott Westover said.

Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.

All the domains used were purchased from a registrat in Israel, Galcomm, also known as CommuniGal Communication.

“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”

Fogal also claimed that there were no records of inquiries from Awake Security, and asked for a list of suspected domains. Upon being provided with a list, Fogel did not provide further clarification.

Awake Security says the company should have been aware of the actions being undertaken.

The Internet Corp for Assigned Names and Numbers, which oversees registrars, said it had received few complaints about Galcomm over the years, and none about malware.

Additional reporting by Reuters

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in