Third-party extensions for Facebook, Instagram, and others have infected millions

Emma McGowan, 17 Dec 2020
Emma McGowan, 17 Dec 2020

Extensions for the internet’s most popular platforms may contain malicious software and should be uninstalled

Browser extensions are usually useful, sometimes fun —  and occasionally dangerous.

That’s the case for at least 28 browser extensions analyzed by Avast Threat Intelligence researchers after the threat was identified by Czech researchers at CZ.NIC. The affected extensions contain malware and include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, as well as additional browser extensions for Google Chrome and Microsoft Edge. According to the browser store download numbers, more than three million people may be affected worldwide.

“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware,” Avast researcher Jan Rubin says. “It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards.”

The infected JavaScript-based extensions contain malicious code that makes it possible to download even more malware to a person’s computer. They also manipulate all links that the victims click on after downloading the extensions. For example, links in Google Search leads users to other, seemingly random, sites. This includes phishing sites and ads. 

“We believe that these domains are not owned by the cybercriminals, but that the owners of these domains pay the cybercriminals for every redirection,” Rubin says.

Clicking on the links also causes the extensions to send information to the attacker’s control server, creating a log of all of their clicks. That log is then sent to third-party websites and can be used to collect personal information about the user, including birth date, email addresses, device information, first sign in time, last login time, name of their device, operating system, browser used and version, and IP address.

The Avast Threat Intelligence team started monitoring this threat in November 2020, but believe that it could have been active for years without anyone noticing. In fact, there are reviews on the Chrome Web Store mentioning link hijacking from as far back as December 2018. That means it’s possible this has been infecting people’s devices for much longer than researchers have been aware of the threat.

At the time of publishing, the infected extensions are still available for download. If you suspect you might have downloaded one, Avast researchers recommend disabling and uninstalling them immediately and then scan for and remove malware. They have also reported the issue to Microsoft and Google, who are looking into it.

Related articles