New Polymorphic Chrome extensions fake others to steal your data

We have seen our fair share of malicious Chrome extensions in the past 17 or so years since Google released the initial version of its browser. From fake VPN extensions and outright malicious extensions to sophisticated session replay malware.

This is what happened: a new malicious type of extension, called polymorphic extension, is currently used to attack users in the wild.

What is a polymorphic extension? A malicious extension that fakes the icon and behavior of other extensions to steal user data.

Polymorphic extensions behave like legitimate extensions on first glance. They look like harmless extensions that provide some functionality. Their true purpose is to fake other extensions installed in the user’s browser to steal data.

Fake other extensions, to gain access to user data

Security researchers at SquareX Labs discovered the new type of malware. The basic process is always the same. It begins with the installation of the legitimately looking, but malicious Chrome extension. This may happen via the official Chrome Web Store or through other channels.

The extension prompts the user to pin its icon to the Chrome toolbar. Many extensions request that, as it provides faster access to the functionality.

While the extension works as advertised, it scans for high-value extensions installed by the user. These can be password managers, financial extensions, or any other type of extension that may provide access to valuable data.

While Chrome prevents extensions from enumerating other installed extensions, techniques exist to overcome these limitations. One way, according to the researchers, is to check for certain web resources that the target extensions use.

Once extensions have been found, malicious code is executed to impersonate the legitimate extension. The researchers give an example of a password manager extension that is attacked.

When the user visits a webpage with a login form, the malicious extension is disabling the password manager temporarily and impersonating the password managers icon on the Chrome toolbar. A HTML prompt requests a new login to the password manager, that looks like it came from the password manager.

When the user enters the authentication information, it is passed to the threat actor. The malicious extension changes its icon again and enables the password manager again. When re-enabled, the legitimate password manager fills out the password fields to sign the user in, making it difficult to detect what just happened.

With the credentials in hand, the threat actor may access the user’s password vault to obtain data.

The researchers highlight several key attacks that may be executed using polymorphic extensions:

Unauthorized transfer of cryptocurrencies using crypto wallets
Unauthorized transactions using banking apps
Unauthorized access to monitor, write and send confidential documents/ emails with productivity tools (e.g. grammar checkers, automation tools)
Unauthorized access to read and modify code base via developer tools

SquareX informed Google about this new type of malicious extension. While there is no direct defense against polymorphic extensions, users may verify Chrome extensions before they install them.

Another option is to use different profiles or even browsers for different activities. Use one browser or profile for tasks that demand the highest security. This separates the activity from regular browsing sessions to increase security.

Now it is your turn. Do you verify extensions before you install them? Let us know in the comment section below.

Summary