108 Chrome extensions implicated in data exfiltration and session theft — check your browser

A vast and complex cyber espionage operation has affected tens of thousands of unsuspecting users, exploiting one of the most common tools of browsing.

Recent investigations conducted by security experts have uncovered a well-orchestrated network involving 108 extensions for the Google Chrome browser.

These extensions, which at the time of publication of the research already counted about 20,000 total installations from the Chrome Web Store, have been connected to a single command-and-control infrastructure.

Check Chrome, find 108 malicious extensions

The gravity of the discovery lies in the multitude of fraudulent actions quietly carried out in the background, ranging from unauthorized collection of personal information to direct account compromise.

Reports to remove this software from the official store have already been submitted and processed, but the risk remains high for anyone who has not recently updated or checked their local settings.

The most insidious aspect of this campaign is the ability of the developers to hide the malicious code inside seemingly harmless and everyday applications.

Researchers identified malware disguised as simple text translation tools, virtual gambling games such as slot machines or Keno, utilities to facilitate the management of popular platforms like TikTok and YouTube, or alternative clients for messaging.

This variety of offerings has allowed the criminal network to blend in with the millions of legitimate extensions routinely downloaded by users.

The average user often tends to trust a well-crafted store page and seemingly practical features, forgetting the application soon after installation. Unfortunately, it is precisely because of this distraction that threats manage to operate undisturbed for long periods.

From cloned sessions to continuous tracking

Attack methodologies proved highly sophisticated and diverse across the various programs. A specific group of 54 extensions was programmed to intercept and collect Google account details at the exact moment the victim clicked a login button.

Even more worrying is the case of a component dedicated to Telegram, capable of exfiltrating the data from the active web session every 15 seconds, providing attackers with continuous, real-time access to private conversations.

Meanwhile, another 45 extensions contained hidden instructions capable of forcing the opening of arbitrary web addresses at every Chrome startup, regardless of whether the extension was actually used.

Other programs disabled security protections on well-known sites to inject unwanted ads and external scripts, while a fake translation tool systematically redirected every entered text to the criminals’ servers.

The necessary countermeasures

It is essential to inspect the browser to identify and uninstall any suspicious or not strictly necessary software, paying particular attention to social media utilities, small games and translators that requested access to accounts without a valid technical reason.

Anyone who has used Telegram Web having installed dubious extensions should proceed to close all active sessions via the official mobile application.

Similarly, those who logged in via Google using unverified programs should review the security section of their profile, immediately revoking the permissions granted to unknown applications to prevent future identity theft.

Find the list of reported extensions at the source link.