Google chrome 106 new browser extensions were removed by Google as they were caught collecting sensitive data from the users. This attack was considered as a part of massive global surveillance campaign which targeted healthcare, oil, gas and finance sectors.
This huge findings were first revealed by an organization called “Awake Security” which also confirmed that these extensions which removed by Google from the web store were in fact tied back to a single domain registrar GalComm.
Awake security even confirmed that these extensions which were removed, were programmed to take screenshots from the Victim’s device, as well as they were capable of loading malware and were even able to harvest tokens and user input. Also, they were programmed to read the “Clipboard”.
What is a Clipboard?
Clipboard is a feature or functionality which enables everyone’s favorite Cut, Copy and Paste ability inside an operating system or any application. The technology uses a short-term storage to transfer text, media or any object from one application to other. The content of clipboard is stored inside RAM for temporary purpose only.
The organization “Awake security” even mentioned that it is still not clear that who is behind this huge scale surveillance.
The extensions which were removed from Google Chrome web store posed as a utility based extensions and became popular by relying on fake reviews and ratings, thus, tricking many users to install them.
Furthermore, the culprits behind this whole thing managed to trick everyone and used “Evasion techniques” such as Web Proxies, Sandboxes, Endpoint Detection & Response (EDR) etc., to avoid flagging the domains as “Malicious” by anti-malware software, hence they were undetected by the surveillance campaigns.
What were these Google Chrome extensions capable of doing?
As mentioned earlier that these 106 Google chrome extensions were posed as utility applications and provided features like :-
- Secure search
- Format conversion
Awake security also confirmed that the removed Google chrome browser extensions were downloaded 33 Million times, over the period of 3 months before the organization reached out to Google with their report. In response Google has removed the extensions, as we mentioned earlier.
GalComm is an Israel based domain registrar. However, Moshe Fogel the owner of the GalComm has made his statement to “Reuters” in an email conversation, where he revealed that -“GalComm is not involved and is not in complicity with any Malicious activity whatsoever”.
Google Chrome Web store continues to deal with this every time..
This is not the first time that something like this happened, bad browser extensions has always been a huge problem for Google Chrome web store. Earlier this February, Google removed 500 such extensions which had malware programmed inside it and the job of these 500 Google chrome browser extensions was to serve ads and send the user’s browser activity to the servers controlled by the attacker/mastermind.
Then again in April the search engine giant again got rid of 49 such extensions from its web store, that masqueraded themselves as cryptocurrency wallets to steal Keystore information..
Original report by – Awake security
It is advised to those who’re reading this article, Don’t download Google chrome extensions unless and until you want to use them for something important. However, if you want to download one, then always do a bit of Google search on the thing you’re downloading to make sure that the extension which you’re downloading is legitimate.
Even though the hacker/attacker is using “Fake reviews” and “Fake ratings” and “Deletes the negative reviews” (True reviews) to trick you, users on other forums and websites would definitely post reviews to warn other people. So make sure, that every single time you download a Google Chrome extension, you download it with a bit of research so you can remain on the safer side.