""These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access," security researcher Tuval Admoni said in a report shared with The Hacker News. "They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints." To make matters worse, one of the extensions, Clean Master, was featured and verified by Google at one point. This trust-building exercise allowed the attackers to expand their user base and silently issue malicious updates years later without attracting any suspicion."
"Early signs of malicious activity were said to have been observed in 2023, when 20 extensions on the Chrome Web Store and 125 extensions on Microsoft Edge were published by developers named "nuggetsno15" and "rocket Zhang," respectively. All the identified extensions masqueraded as wallpaper or productivity apps. These extensions were found to engage in affiliate fraud by stealthily injecting tracking codes when users visited eBay, Booking.com, or Amazon to generate illicit commissions from users' purchases."
ShadyPanda ran a seven-year browser extension campaign that amassed over 4.3 million installations. Five extensions shifted from legitimate programs to malicious updates in mid-2024, attracting about 300,000 installs. The updates enabled hourly remote code execution to download and execute arbitrary JavaScript with browser access, monitor website visits, exfiltrate browsing history, and collect browser fingerprints. Clean Master had been featured and verified by Google, enabling trust-based expansion and silent malicious updates. Other add-ons tracked visited URLs and search queries, sending data to servers in China; WeTab alone had three million installs. Early 2023 activity showed extensions masquerading as wallpapers or productivity apps conducting affiliate fraud, later escalating to active browser control.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]