Following a two-months long investigation by security researcher Jamila Kaya and Cisco’s Duo Security team, Google has removed over 500 malicious Chrome extensions from its official web store. According to ZDNet, the extensions were found injecting malicious ads inside users’ browsing sessions.
Led by Kaya, the team of researchers found that the extensions were part of a larger malware operation that’s been active for at least two years. Kaya said in an interview that she discovered the malicious extensions during routine threat hunting when she noticed visits to malicious sites that had a common URL pattern.
“We subsequently reached out to Google with our findings, who were receptive and collaborative in eliminating the extensions,” said Kaya.
Google found even more extensions that fit the same pattern after its own investigation, which resulted in the banning of more than 500 extensions from the Chrome web store:
“While the redirects were incredibly noisy from the network side, no interviewed users reported too obtrusive of redirects,” Kaya told ZDNet.
A list of extension IDs that were part of this scheme are listed in the Duo report. When Google banned the extensions from the official Web Store, it also deactivated them inside every user’s browser, while also marking the extension as “malicious” so users would know to remove it and not reactivate it.
It is not yet known how many users had installed the malicious extensions but the number is believed to be in the millions range.