- Researchers find malicious browser extensions can assume the appearance of any other installed in the browser
- It can also disable other extensions, completely tricking the victim
- The extension can steal sensitive passwords, cryptos, and more
Cybersecurity researchers have found malicious shapeshifting Google Chrome browser extensions in the wild, able to change their appearance to pretty much anything else installed on the target device, opening the doors for credential theft, cryptocurrency theft, and possibly even wire fraud.
Researchers from SquareX said they spotted a malicious browser extension which at first, seems benign. It can be an “unassuming AI tool”, or pretty much anything else. When it’s first installed, it will behave as expected, for at least a while, while it analyzes which other extensions are installed in the browser.
If it spots anything particularly interesting (such as a crypto wallet, for example), the extension will completely transform its appearance, including the interface, the shortcut icon, and everything else, to look exactly the same. It will then disable the legitimate extension, so that it is the only one offering that particular functionality – meaning it is almost impossible for the victim to realize they are being targeted.
Feature, not a bug
To make matters worse, the researchers said that the malware just abuses the design of browsers and extensions.
There is no bug, no vulnerability being exploited, meaning that cybersecurity solutions, antivirus programs, and other endpoint protection tools, cannot flag it or remove it. It gets worse, too – the extensions only require medium risk permissions, the same ones required by password managers and similar tools. Therefore, the malware cannot even be spotted by Chrome Store and other security teams simply looking at the code.
They are calling them “polymorphic extensions” and believe they are an entirely new class of malware. They said the malware impacts “most major browsers, including Chrome and Edge”.
“Browser extensions present a major risk to enterprises and users today,” commented SquareX founder, Vivek Ramachandran.
“Unfortunately, most organizations have no way of auditing their current extension footprint and to check whether they are malicious. This further underscores the need for a browser native security solution like Browser Detection and Response, similar to what an EDR is to the operating system.”
Google has been notified, but has yet to respond.
Leave a comment