November 25, 2020

Criminal ring of Chrome spyware extensions exposed, millions of users affected

Google failed to notice the activity and only took action after a third-party security group did the legwork.

Chrome logo on smartphone next to globe

Credit: Edgar Cervantes / Android Authority

  • A third-party security team discovered a ring of Chrome spyware extensions all working together.
  • The extensions were apparently downloaded over 32 million times, affecting millions of Chrome browsers.
  • This news once again illuminates how weak Google’s oversight of Chrome extensions really is.

In yet another instance of Google dropping the ball when it comes to Chrome spyware, a security research team called Awake Security found a ring of extensions all working together that compromised the security and privacy of millions of users.

After informing Google of the problematic Chrome spyware, Google removed over 70 extensions from the platform (via Reuters). However, those extensions and others that were part of the focused and organized attacks have already been downloaded over 32 million times.

Related: How to block websites using Chrome

Awake Security estimates this is the most far-reaching Chrome spyware effort to date. However, Google declined to verify that claim. It also declined to explain why it did not catch the activity itself.

This Chrome spyware campaign was massive

These Chrome spyware extensions were usually disguised as tools that would, ironically, protect users from malicious sites. Some were also legitimate tools that would convert files from one format to another. However, while running, all the extensions could secretly siphon data from the user’s internet activity.

Related: 10 best security apps for Android that aren’t anti-virus apps

Using this data, the attackers could then obtain credentials for accessing both personal and corporate information. With so much business software usage happening in browsers nowadays, personal email accounts are no longer a big prize for attackers. Instead, Chrome spyware can obtain things like payroll records, corporate credit card accounts, and other highly sensitive information.

To avoid detection, the extensions would only transmit data from one server to another when the user was not using security software. In other words, the Chrome spyware was smart enough to know if security protocols were in place and then kill its illegal activity in response.

How did Google not see this?

google logo G at ces 20201

Credit: Jimmy Westenberg / Android Authority

According to Awake Security, the information collected by these Chrome spyware applications bounced around a criminal network of over 15,000 domains. Almost all of those domains were purchased from just one registrar called Galcomm, based in Israel.

When contacted by Reuters, Galcomm denied any involvement with the criminal ring of apps. However, Awake Security contacted Galcomm multiple times during its investigation, with Galcomm never responding. Reuters also tried to give Galcomm a list of the domains used to transmit the stolen data a whopping three times, with Galcomm never giving a substantial response to any of the messages.

Related: Is selling your privacy for a cheaper phone really a good idea?

With 15,000 domains, nearly 100 Chrome spyware extensions, and 32 million downloads, one begins to wonder how Google didn’t find this on its own.

This isn’t the first time Google’s dropped the ball like this, either. Although the company continues to tighten up security surrounding Chrome extensions and how they work, it still hasn’t mastered a method of preventing these kinds of problems. Google mostly relies on algorithms to detect malicious activity within the Chrome ecosystem and has said it is involving more human interaction to increase efficacy. However, clearly, there’s more room for improvement.

As of now, the safest way to avoid installing a Chrome spyware extension is to only download those that are created by established, high-profile organizations.

More posts about Google Chrome