The programs have already received more than 1.5 million downloads in the Chrome Web Store.
Experts from ReasonLabs found three malicious extensions for the Google Chrome browser masquerading as virtual private network (VPN) services. These programs, which were used to intercept sessions, hack cashback systems, and steal data, were downloaded from the official store more than 1.5 million times.
Malicious extensions were distributed through an installer hidden in pirated versions of such popular video games as Grand Theft Auto, Assassins Creed, and The Sims 4. Victims downloaded games via torrent sites-this increased the risk of infection.
Google, having received information from researchers, took action and removed programs from the Chrome Web Store. Among the infected extensions were netPlus (1 million installations), netSave and netWin (500 thousand installations).
Most cases of infection are registered in Russia, Ukraine, Kazakhstan and Belarus. It seems that the campaign was initially aimed at Russian-speaking users.
Extensions were installed automatically and without any notifications at the registry level. After installation, the program checked for antivirus software on the device, and then downloaded netSave in Google Chrome and netPlus in Microsoft Edge.
Externally, the extensions mimicked the realistic interface of legal VPN services and even offered a paid subscription.
One of the key characteristics of malware was the use of the 'offscreen' permission. It allowed attackers to interact unnoticed with the DOM (Document Object Model) of web pages via the Offscreen API. This allowed hackers to steal sensitive data without being noticed, manipulate web requests, and even disable other tools installed in the browser.
The list of malware targets included such well-known apps as Avast SafePrice, AVG SafePrice, Honey: Automatic Coupons & Rewards, LetyShops, Megabonus, AliRadar Shopping Assistant, and Yandex.Market Adviser, ChinaHelper и Backlit.
The extensions also exchanged data with the command server, transmitting instructions, victim identification data, confidential information, and more.
This incident draws the attention of experts to serious security issues related to extensions for web browsers. Many of these programs are well camouflaged, making them much harder to detect. Users are advised to regularly monitor reviews in the Chrome Web Store to keep up to date with any reports of suspicious or malicious activity.
Experts from ReasonLabs found three malicious extensions for the Google Chrome browser masquerading as virtual private network (VPN) services. These programs, which were used to intercept sessions, hack cashback systems, and steal data, were downloaded from the official store more than 1.5 million times.
Malicious extensions were distributed through an installer hidden in pirated versions of such popular video games as Grand Theft Auto, Assassins Creed, and The Sims 4. Victims downloaded games via torrent sites-this increased the risk of infection.
Google, having received information from researchers, took action and removed programs from the Chrome Web Store. Among the infected extensions were netPlus (1 million installations), netSave and netWin (500 thousand installations).
Most cases of infection are registered in Russia, Ukraine, Kazakhstan and Belarus. It seems that the campaign was initially aimed at Russian-speaking users.
Extensions were installed automatically and without any notifications at the registry level. After installation, the program checked for antivirus software on the device, and then downloaded netSave in Google Chrome and netPlus in Microsoft Edge.
Externally, the extensions mimicked the realistic interface of legal VPN services and even offered a paid subscription.
One of the key characteristics of malware was the use of the 'offscreen' permission. It allowed attackers to interact unnoticed with the DOM (Document Object Model) of web pages via the Offscreen API. This allowed hackers to steal sensitive data without being noticed, manipulate web requests, and even disable other tools installed in the browser.
The list of malware targets included such well-known apps as Avast SafePrice, AVG SafePrice, Honey: Automatic Coupons & Rewards, LetyShops, Megabonus, AliRadar Shopping Assistant, and Yandex.Market Adviser, ChinaHelper и Backlit.
The extensions also exchanged data with the command server, transmitting instructions, victim identification data, confidential information, and more.
This incident draws the attention of experts to serious security issues related to extensions for web browsers. Many of these programs are well camouflaged, making them much harder to detect. Users are advised to regularly monitor reviews in the Chrome Web Store to keep up to date with any reports of suspicious or malicious activity.
