Google Chrome web browser users are being advised to check all the browser extensions they have installed from the official Google Chrome Web Store.
Chrome users have been alerted about numerous rogue extensions which have already been downloaded thousands of times.
Although the 89 extensions may appear normal they are actually installed with code that has the ability to record everything a user does upon visiting a website.
Google has calculated these rogue extensions have been downloaded and installed on over 420,000 browsers, security specialists Trend Micro discovered the malicious code.
Joseph Chen, fraud analyst for Trend Micro explained every action made by a user be it keystroke, mouse click or scroll can be recorded and replayed, further adding “These scripts are injected into every website the user visits. These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things.”
Droidclub is the name given by Trend Micro to these extensions which also have the ability to mine for Monero a cryptocurrency.
After the discovery Google quickly removed the extensions in question from their web store, however, Trend Micro was quick to explain that they were many other ways that the extensions could spread.
One of these ways is a malicious advert online, Trend Micro described how: “Malicious ads would be used to display false error messages asking users to download an extension onto their browser.
“If people click OK here, the Chrome browser will download the extension from the normal Chrome web store in the background.
“It then asks the user if they want to go ahead and install the extension while listing the required privileges of the extension.
“The extension, once installed, checks if the C&C server is online, downloads any needed configuration code, and reports back to the C&C server.”
The security company further explained that extension was self-aware in that if a user tried to report it through the normal procedure it would redirect the user to another page.
Even if the user attempted to remove it from Googles official extension manager page it would again redirect, this time to a fake site.
This would make the user think the extension had been removed when in reality it would remain.
Google said on the matter “We’ve removed the affected extensions from the Chrome Web Store and have disabled them on devices of all affected Chrome users.
“Keeping the extensions ecosystem free from malware and abuse has always been a priority and we are always working on closing gaps to address new abuse patterns that emerge.
Currently, our security systems block more than 1,000 malicious extensions per month.
“If an extension looks suspicious, we encourage users to report it as potential abuse through the chrome web store page so we can review it in greater depth.”