- Researchers find that the malicious extensions of the browser can assume the appearance of any other installed in the browser
- It can also disable other extensions, completely cheating the victim
- The extension can steal confidential passwords, crypts and more
Cybersecurity researchers have found Google Chrome browser extensions in a malicious way in nature, capable of changing their appearance to almost anything else installed on the target device, opening the doors for the theft of credentials, cryptocurrency theft and possibly even wire fraud.
Squarex researchers said they saw a malicious extension of the browser that at the beginning seems benign. It can be a “unpretentious tool”, or almost anything else. When installed for the first time, it will behave as expected, for at least a time, while analyzing what other extensions are installed in the browser.
If you see something particularly interesting (such as a cryptographic wallet, for example), the extension will completely transform its appearance, including interface, direct access icon and everything else, to look exactly the same. Then it will disable the legitimate extension, so it is the only one that offers that particular functionality, which means that it is almost impossible for the victim to realize that they are being attacked.
Characteristic, not an error
To make things worse, the researchers said that malware only abuses the design of browsers and extensions.
There is no error, vulnerability is not exploited, which means that cybersecurity solutions, antivirus programs and other final point protection tools cannot mark or eliminate it. It also worsens: extensions only require medium risk permissions, the same required by password administrators and similar tools. Therefore, malware cannot even be seen by Chrome Store and other security equipment that simply look at the code.
They call them “polymorphic extensions” and believe they are a completely new class of malware. They said that malware impacts “most of the main browsers, including Chrome and Edge.”
“Navigator extensions have an important risk for today’s companies and users,” said Squarex founder Vivek Ramachandran.
“Unfortunately, most organizations have no way to audit their current extension footprint and verify if they are malicious. This further underlines the need for a native browser safety solution, such as the detection and response of the browser, similar to what an EDR is for the operating system. “
Google has been notified, but has not yet responded.
