Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm

Galcomm retorts: 'The report is at least irresponsible, if not worse'

Updated Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google's store.

The researchers said they have been tracking a "massive global surveillance campaign that affects almost every enterprise we have investigated" linked to a specific Israel-based domain registrar called Communigal Communication Ltd (Galcomm).

The story begins with some heuristic malware detection by Awake, looking for things like signs of uploads going to rare or known bad destinations. This led them to a bunch of malicious browser extensions, 111 in total, which "were found to upload sensitive data or not perform the task they're advertised to perform (generally, they surveil user activity and device properties."


FYI: There are thousands of Chrome extensions with so, so many fake installations to trick you into using them


Of these, Awake reported, 79 were available in the Chrome store, the official source for Chrome browser extensions (and also now usable by Microsoft's Chromium-based Edge). A common technique, they said, is that the developer gets a clean version of an extension approved, and later updates it with the malicious payload.

Some of the suspicious extensions have a reassuring number of reviews and downloads, in one case more than 22,000 reviews and 10 million downloads, presumably achieved by bot activity.

Another popular approach is to clone a genuine extension and bundle it with malware. "Awake has since worked with Google to take down these extensions from the Chrome Web Store," said the report, but no doubt more are on the way.

The browser can reveal 'keys to the kingdom'

A point made by the researchers is that widespread enterprise migration to the cloud often also implies that business activity is frequently done within the browser. "Rogue access to the browser therefore frequently means rogue access to the 'keys to the kingdom' – from email and corporate file sharing to customer relationship management and financial databases," they said, dubbing browser extensions "the new rootkit."

After all, there is no need to break into the operating system if valuable data can be extracted via the browser alone.

If the user can be tricked into allowing it, a browser extension can have considerable power. "When the permission requires access to all data on your computer and the websites you visit, it means that the app or extension can access almost anything. This could be your webcam or personal files, inside or outside of your browser," notes Google. Many dodgy extensions pose as security utilities, which typically do require a high level of permission to work.

A developer on Hacker News said: "I've been developing Chrome extensions full-time for about a year now, and it's honestly terrifying just how much access extensions have to sensitive user data."

The problem, he said, is that "on more established platforms like iOS and Android, all sensitive permissions have to be requested at runtime rather than at install-time, which forces developers to explain why they need the permissions they ask for. With browser extensions, there's no such requirement, which leads many developers to ask for all the permissions they can get, because there's no downside to doing so.

"That's why over 80 per cent of the top 1,000 extensions ask for access to ALL domains, which means they have the power to steal any of your data (emails, passwords, etc) on any site if they wanted or became compromised."

The Chrome team is improving this by requiring permissions to be requested at runtime in a forthcoming update, he said, but right now "the extension ecosystem is pretty broken."

Dodgy extensions in Chrome Store with millions of downloads (now removed)

Dodgy extensions in Chrome Store with millions of downloads (now removed)

The most disturbing part of the report is the claim that there have been 32,963,951 downloads of extensions that "advertise one function (like security) but actually do nothing other than send information about the endpoint or user-activities to Galcomm-registered domains."

The browser is becoming the soft underbelly in many organisations' security infrastructure, particularly during the COVID-19 pandemic with many users working remotely...

Some of these downloads will be artificial, but the researchers said: "We believe the actual number of endpoints with these extensions is not substantially less, and quite likely more." The possibility of an underestimate comes about because the extensions can also be loaded from websites which bypass the Chrome Store, "making it difficult to get an install count for these."

In general, the Awake team said the security industry is complacent about malware that extracts data, which is often labelled as "PUPs, Adware or Greyware" by most antivirus products, understating the risk it poses. "Security teams think of PUPs/Adware as the type of apps that annoyingly popup coupons, and many times security teams do not remediate PUP detections because of resource constraints. This is a dangerous strategy."

Awake also presents some data on Galcomm, the registrar that links the various extensions and other malware in the report. "Our analysis shows that almost 60 per cent of the domains we have observed registered with this registrar are high risk for organizations," the research team claimed.

Many of the domains were registered immediately after they expired, causing complaints about hijacked domains, but defeating malware detection based on recently registered domains. The use of the domains includes downloading malware and JavaScript, hosting malicious sites, redirecting users to malicious sites, and being the destination for exfiltrated data.

The researchers pointed the finger at ICANN, which oversees the accreditation of registrars, for doing little to enforce requirements such as responding quickly to "well-founded reports of illegal activity."

"Even these minimal requirements from ICANN … are not being followed by Galcomm. This lack of oversight by ICANN seems to point towards a general indifference to the implementation and execution of these rules," they said.

Awake said its threat researchers "made several attempts to contact Galcomm by phone, email (abuse@, security@, and support@), and the contact form on their website, asking questions like 'Given these domains account for approximately 60 per cent of the total domains Galcomm currently has on the internet, how could this go unnoticed by the company?'"

The researchers added that "we have received no response from Galcomm at publishing time of this paper, nor have we observed any decrease in malicious activity associated with their domains."

Galcomm refutes claims

The Register had better luck. Galcomm owner Moshe Fogel told us: "We are aware of this report. The report is at least irresponsible, if not worse. It is based on an incorrect data, where 25 per cent of the domains they claimed to have checked are either not at Galcomm or deleted.

"From those that are with Galcomm, almost all are parked domains, mostly with the largest domain parking companies worldwide. The rest are still being investigated." He went on to claim: "Moreover, Awake have not even asked for our quote or response on that issue before publishing a report. I got the domains in question via a third party who was asking me about this."

Is the situation as bad as Awake says? "It is unclear from the report as to what impact the detected malicious extensions could have on the affected organisations," security consultant Brian Honan told The Register.

"However, this is not the first time campaigns have been identified that take advantage of malicious extensions for web browsers and highlights enterprises need to be more proactive in how they manage the security of browsers. Allowing end users to install whatever browser extensions they want can expose an enterprise to potential harm.

"Given that more and more of our online communications are happening via browsers, such as email, messaging, collaboration platforms, and other corporate tools, the browser is becoming the soft underbelly in many organisations' security infrastructure, particularly during the COVID-19 pandemic with many users working remotely and relying more and more on their browsers to work."

Honan suggests using Google's Chrome Browser Cloud Management tools to control extensions.

Ex-Sophos consultant Graham Cluley concurred. "Browser extensions have a scary amount of power, and if you happen to be running one that has gone rogue you should consider everything you do in your browser to be compromised."

We have approached Google and ICANN for comment and will update this piece accordingly if they respond. ®

Updated to add

A Google spokesperson has since told us: “We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.

"In addition to disabling the accounts of developers that violate our policies, we also flag certain malicious patterns we detect in order to prevent extensions from returning.”

Google also pointed us toward posts here and here about its efforts to strengthen security in the Chrome Web Store, one from 2018 and the other from May 2019. If Awake’s report is correct though, there is still work to do.

Similar topics

Other stories you might like

  • Electron-to-joule conversion formulae? Cute. Welcome to the school of hard knocks

    Shake, rattle and roll is incompatible with your PABX

    On Call There are some things they don't teach you in college, as a Register reader explains in this week's instalment of tales from the On Call coalface.

    Our reader, safely Regomised as "Col", headed up the technical support team of a PABX telecom provider and installer back in the early 1990s. PABX, or Private Automatic Branch eXchange, was the telephony backbone of many an office. A failure could be both contract and career-limiting.

    Col, however, was a professional and well versed in the ins and outs of such systems. Work was brisk and so, he told us, "I took on a university grad with all the spunk and vigour that comes with it. He knew the electron-to-joule conversion formulae et al."

    Continue reading
  • Korea's NAVER Cloud outlines global ambitions, aim to become Asia's third-biggest provider

    Alibaba is number two in much of the region, but is a bit on the nose right now

    Korean web giant NAVER has outlined its ambition to bring its cloud to the world, and to become the third-largest cloud provider in the Asia-Pacific region.

    NAVER started life as a Korean web portal, added search, won the lion's share of the market, and has kept it ever since. South Korea remains one of the very few nations in which Google does not dominate the search market.

    As NAVER grew it came to resemble Google in many ways – both in terms of the services it offers and its tendency to use its muscle to favour its own properties. NAVER also used its scale to start a cloud business: the NAVER Cloud Platform. It runs the Platform in its home market, plus Japan, Hong Kong, and Singapore. Presences in Taiwan, Vietnam and Thailand are imminent.

    Continue reading
  • Build it fast and they will come? Yeah, but they’ll only stay if you build it right

    Here’s where to start

    Sponsored Developers have never had so much choice. Every week there’s a new framework, API, or cloud service that promises to help deliver software to market faster than ever. And it’s not just tooling. Agile, continuous integration, and DevOps techniques have made teams more efficient, too. But speed brings with it increased expectations. Pressure from customers and colleagues, alongside the burden of staying current with new tooling, can lead to mistakes.

    Whether it’s a showstopping bug that slips through into production or an edge case that lies in wait for years, pressure to deliver is driving some teams to pile up technical debt and mismatched stakeholder expectations.

    What’s the solution? Well, it’s to do what we’ve always done: build on what came before. In the absence of unlimited time and budget, a low-code platform gives both experienced and new developers a suite of tools to accelerate their development. Automation in just the right places lets teams bring their unique value where it really matters, while all the standard building blocks are taken care of.

    Continue reading
  • Royal Navy will be getting autonomous machines – for donkey work humans can't be bothered with

    No robot killers 'in my lifetime' says admiral

    DSEI 2021 The British armed forces will be using robots as part of future warfare – but mostly for the "dull, dangerous and dirty" parts of military life, senior officers have said.

    At London's Defence and Security Equipment International arms fair, two senior officers in charge of digitisation and automation said the near future will be more Wall-E than Terminator – but fully automated war machines are no longer just the stuff of sci-fi.

    Brigadier John Read, the Royal Navy's deputy director of maritime capability, said in a speech the military "must automate" itself so it can "take advantage of advances in robotics, AI and machine learning."

    Continue reading
  • WTF? Microsoft makes fixing deadly OMIGOD flaws on Azure your job

    Clouds usually fix this sort of thing before bugs go public. This time it's best to assume you need to do this yourself

    Microsoft Azure users running Linux VMs in the IT giant's Azure cloud need to take action to protect themselves against the four "OMIGOD" bugs in the Open Management Infrastructure (OMI) framework, because Microsoft hasn't raced to do it for them.

    As The Register outlined in our report on this month's Patch Tuesday release, Microsoft included fixes for flaws security outfit Wiz spotted in Redmond's open-source OMI agents. Wiz named the four flaws OMIGOD because they are astonishing.

    The least severe of the flaws is rated 7/10 on the Common Vulnerability Scoring System. The worst is rated critical at 9.8/10.

    Continue reading
  • Businesses put robots to work when human workers are hard to find, argue econo-boffins

    The lure of shiny new tech isn't a motivator, although in the USA bots are used to cut costs

    Researchers have found that business adoption of robots and other forms of automation is largely driven by labor shortages.

    A study, authored by boffins from MIT and Boston University, will be published in a forthcoming print edition of The Review of Economic Studies. The authors, Daron Acemoglu and Pascual Restrepo, have both studied automation, robots and the workforce in depth, publishing numerous papers together and separately.

    "Our findings suggest that quite a bit of investment in robotics is not driven by the fact that this is the next 'amazing frontier,' but because some countries have shortages of labor, especially middle-aged labor that would be necessary for blue-collar work,” said Acemoglu in a canned statement.

    Continue reading
  • After eight years, SPEC delivers a new virtualisation benchmark

    Jumps from single-server tests to four hosts – but only for vSphere and RHV

    The Standard Performance Evaluation Corporation (SPEC) has released its first new virtualisation benchmark in eight years.

    The new SPECvirt Datacenter 2021 benchmark succeeds SPEC VIRT_SC 2013. The latter was designed to help users understand performance in the heady days of server consolidation, so required just one host. The new benchmark requires four hosts – a recognition of modern datacentre realities.

    The new tests are designed to test the combined performance of hypervisors and servers. For now, only two hypervisors are supported: VMware’s vSphere (versions 6.x and 7.x) and Red Hat Virtualisation (version 4.x). David Schmidt, chair of the SPEC Virtualization Committee, told The Register that Red Hat and VMware are paid up members of the committee, hence their inclusion. But the new benchmark can be used by other hypervisors if their vendors create an SDK. He opined that Microsoft, vendor of the Hyper-V hypervisor that has around 20 per cent market share, didn’t come to play because it’s busy working on other SPEC projects.

    Continue reading
  • Forget that Loon's balloon burst, we just fired 700TB of laser broadband between two cities, says Google

    Up to 20Gbps link sustained over the Congo in comms experiment

    Engineers at Google’s technology moonshot lab X say they used lasers to beam 700TB of internet traffic between two cities separated by the Congo River.

    The capitals of the Republic of the Congo and the Democratic Republic of Congo, Brazzaville and Kinshasa, respectively, are only 4.8 km (about three miles) apart. The denizens of Kinshasa have to pay five times more than their neighbors in Brazzaville for broadband connectivity, though. That's apparently because the fiber backbone to Kinshasa has to route more than 400 km (250 miles) around the river – no one wanted to put the cable through it.

    There's a shorter route for data to take between the cities. Instead of transmitting the information as light through networks of cables, it can be directly beamed over the river by laser.

    Continue reading
  • Apple's M1 MacBook screens are stunning – stunningly fragile and defective, that is, lawsuits allege

    Latest laptops prone to cracking, distortions, owners complain

    Aggrieved MacBook owners in two separate lawsuits claim Apple's latest laptops with its M1 chips have defective screens that break easily and malfunction.

    The complaints, both filed on Wednesday in a federal district court in San Jose, California, are each seeking class certification in the hope that the law firms involved will get a judicial blessing to represent the presumed large group of affected customers and, if victorious, to share any settlement.

    Each of the filings contends Apple's 2020-2021 MacBook line – consisting of the M1-based MacBook Air and M1-based 13" MacBook Pro – have screens that frequently fail. They say Apple knew about the alleged defect or should have known, based on its own extensive internal testing, reports from technicians, and feedback from customers.

    Continue reading
  • Microsoft's Azure Virtual Desktop now works without Active Directory – but there are caveats

    General availability of Azure AD-joined VMs

    Microsoft has declared general availability for Azure Virtual Desktop with the VMs joined to Azure AD rather than Active Directory, but the initial release has many limitations.

    Azure Virtual Desktop (AVD), once called Windows Virtual Desktop, is Microsoft's first-party VDI (Virtual Desktop Infrastructure) solution.

    Although cloud-hosted, Azure Virtual Desktop is (or was) based on Microsoft's Remote Desktop Services tech which required domain-joined PCs and therefore a connection to full Windows Active Directory (AD), either in the form of on-premises AD over a VPN, or via Azure Active Directory Domain Services (AAD DS) which is a Microsoft-managed AD server automatically linked to Azure AD. In the case that on-premises AD is used, AD Connect is also required, introducing further complexity.

    Continue reading
  • It's bizarre we're at a point where reports are written on how human rights trump AI rights

    But that's what UN group has done

    The protection of human rights should be front and centre of any decision to implement AI-based systems regardless of whether they're used as corporate tools such as recruitment or in areas such as law enforcement.

    And unless sufficient safeguards are in place to protect human rights, there should be a moratorium on the sale of AI systems and those that fail to meet international human rights laws should be banned.

    Those are just some of the conclusions from the Geneva-based Human Rights Council (HRC) in a report for the United Nations High Commissioner for Human Rights, Michelle Bachelet.

    Continue reading

Biting the hand that feeds IT © 1998–2021