Every day, numerous individuals install small browser add-ons in hopes of enhancing productivity or entertainment. With a plethora of options on the Chrome Web Store, users often rely on indicators like install counts, user reviews, and developer reputation to make their decision.
Unfortunately, attackers have begun exploiting these trust signals. Researchers recently uncovered a scheme where 18 browser extensions, all available on the official Chrome and Edge Web Stores, were tracking users’ online activities, accumulating over 2 million installations.
How cybercriminals are embedding malware in popular Chrome extensions
Security researchers at Koi Security found that attackers employed long-term, strategic tactics to weaponize browser extensions. They initially released legitimate utilities to gain user trust. After accumulating positive reviews and a solid reputation over time, the attackers pushed a silent update injecting malicious scripts into the trusted codebase.
These updates, being from official sources, easily bypassed corporate firewalls. Unlike phishing emails or suspicious downloads, the malicious code arrived through routine updates, raising no immediate alarms.
How malicious Chrome extensions evade detection and propagate
As the investigation progressed, researchers traced suspicious traffic back to a seemingly harmless color picker extension. This led them to a network of connected domains functioning as command and control hubs. These servers recorded users’ visited URLs and issued commands for redirects to fake websites or ad-heavy landing pages.
Upon closer examination of the extension’s code, the team discovered similar patterns in various unrelated tools like weather widgets, emoji keyboards, video speed controllers, and volume boosters. Despite their different appearances, they shared common underlying code and behavior.
List of dangerous Chrome and Edge extensions to uninstall immediately
Affected users should promptly remove the following extensions, clear caches thoroughly, and conduct full system scans:
- Emoji keyboard online (Chrome)
- Free Weather Forecast (Chrome)
- Unlock Discord (Chrome)
- Dark Theme (Chrome)
- Volume Max (Chrome)
- Unblock TikTok (Chrome)
- Unlock YouTube VPN (Chrome)
- Geco colorpick (Chrome)
- Weather (Chrome)
- Flash Video Player (Chrome)
- Unlock TikTok (Edge)
- Volume Booster (Edge)
- Web Sound Equalizer (Edge)
- Header Value (Edge)
- Flash Player (Edge)
- YouTube Unblocked (Edge)
- SearchGPT (Edge)
- Unlock Discord (Edge)
Immediate steps to safeguard against malicious extensions
If any extensions linked to the RedDirection campaign are installed, take these immediate actions:
- Remove all affected extensions from Chrome and Edge browsers.
- Clear browser data to eliminate stored tracking identifiers.
- Run a full system malware scan with reputable antivirus software.
- Monitor online accounts closely for unusual activity.
- Review all installed extensions for suspicious behavior and remove any unrecognized or untrusted ones.
Ways to protect yourself from malicious extensions
1) Check your accounts for unusual activity: Review sensitive accounts for any suspicious behavior and change passwords immediately.
2) Enable two-factor authentication (2FA): Add an extra layer of security to your accounts.
3) Use strong antivirus software: Detect hidden threats that browsers may miss.
4) Reset browser settings: Restore default browser settings to reverse unwanted changes.
5) Watch for security alerts: Stay vigilant for login warnings or access alerts.
6) Use a browser with extension permission controls: Limit extension data access for added security.
Key takeaway
Browser extensions can be beneficial, but they also pose hidden risks. Trusted tools can turn malicious unexpectedly. Stay vigilant, review extensions regularly, and use robust antivirus protection to safeguard your browser and personal data.
