Unmasking malicious extensions: Avast detects new threats on the Chrome Web Store

Luis Corrons 2 Jun 2023

Avast discovered 32 malicious extensions with a whopping 75 million combined installs that were available on the Chrome Web Store.

In the ever-evolving cybersecurity landscape, new threats emerge every day. Our team at Avast recently discovered a series of malicious browser extensions on the Chrome Web Store that are spreading adware and hijacked search results. These are significant threats, as these attacks affect approximately 24,000 of our users and potentially millions more worldwide. 

Our investigation began when a respected figure in the cybersecurity community, Wladimir Palant, discovered malicious code in the PDF Toolbox extension. His findings, detailed on his blog, prompted us to delve deeper into the issue. 

We found that 32 malicious extensions with a whopping 75 million combined installs were available on the Chrome Web Store. The extensions’ functionalities ranged from adblocks, downloaders, and browser themes to recorders and tab managers. Importantly, an additional 50 extensions have already been taken down. 

Although these numbers are alarming, it's important to note that our team has reason to believe that the install counts may have been artificially inflated. This is because the number of reviews on the Chrome Web Store are suspiciously low – what’s more, we found that the number of people who encountered the threat isn’t proportional to the number of installs from the Chrome Web Store.

The trickiest part about malicious browser extensions is the nature of the tools – the extensions themselves are designed to provide legitimate functionality, which makes them appear harmless at first glance. However, hidden within their code lies obfuscated code of malicious origin. The final payload appears to be adware that spams people with unwanted ads and a search result hijacker that alters search experiences by displaying sponsored links, paid search results, and potentially malicious links. At the time of publication, our team is still in the process of fully analyzing the threats that are attached to these malicious extensions. 

  

 

One of the malicious extensions that Avast reported to Google 

In the past, we have worked closely with Google to report malicious extensions and apps, to which the company has been responsive in taking the necessary actions. In this case, we have reported our team’s finding to Google and all malicious extensions have now been removed from the store.

In the meantime, we have ensured our users’ ongoing protection by blocking the backdoor communication of the malicious extensions. By doing so, we’ve made it possible for the non-malicious portion of the browser extension in question to work as intended, while the malicious component is neutralized.  

The importance of cybersecurity vigilance 

This example is a reminder that individuals must use caution when installing extensions – even those available on official platforms like the Chrome Web Store. A rule of thumb: Always check the developer's reputation and read reviews before installing an extension. Also, be wary of extensions that request excessive permissions or seem to have unrelated functionalities. 

We will continue to monitor this situation and provide updates as we learn more. Our commitment to online security is unwavering, and we are dedicated to keeping our users informed about the latest threats and how to stay protected.


Avast researcher Jan Vojtěšek, who is leading this investigation, has listed the following Indicators of Compromise (IoC): 

Extension IDs:

  • aeclplbmglgjpfaikihdlkjhgegehbbf 
  • afffieldplmegknlfkicedfpbbdbpaef 
  • ajneghihjbebmnljfhlpdmjjpifeaokc 
  • ameggholdkgkdepolbiaekmhjiaiiccg 
  • bafbedjnnjkjjjelgblfbddajjgcpndi 
  • bahogceckgcanpcoabcdgmoidngedmfo 
  • bikjmmacnlceobeapchfnlcekincgkng 
  • bkbdedlenkomhjbfljaopfbmimhdgenl 
  • bkflddlohelgdmjoehphbkfallnbompm 
  • bkpdalonclochcahhipekbnedhklcdnp 
  • bppfigeglphkpioihhhpbpgcnnhpogki 
  • cajcbolfepkcgbgafllkjfnokncgibpd 
  • ciifcakemmcbbdpmljdohdmbodagmela 
  • deebfeldnfhemlnidojiiidadkgnglpi 
  • diapmighkmmnpmdkfnmlbpkjkealjojg 
  • dlnanhjfdjgnnmbajgikidobcbfpnblp 
  • dppnhoaonckcimpejpjodcdoenfjleme 
  • edadmcnnkkkgmofibeehgaffppadbnbi 
  • edaflgnfadlopeefcbdlcnjnfkefkhio 
  • edailiddamlkedgjaoialogpllocmgjg 
  • edmmaocllgjakiiilohibgicdjndkljp 
  • eibcbmdmfcgklpkghpkojpaedhloemhi 
  • enofnamganfiiidbpcmcihkihfmfpobo 
  • epmmfnfpkjjhgikijelhmomnbeneepbe 
  • fcndjoibnbpijadgnjjkfmmjbgjmbadk 
  • fejgiddmdpgdmhhdjbophmflidmdpgdi 
  • ffiddnnfloiehekhgfjpphceidalmmgd 
  • fgpeefdjgfeoioneknokbpficnpkddbl 
  • fhnlapempodiikihjeggpacnefpdemam 
  • finepngcchiffimedhcfmmlkgjmeokpp 
  • flmihfcdcgigpfcfjpdcniidbfnffdcf 
  • fpfmkkljdiofokoikgglafnfmmffmmhc 
  • gdlbpbalajnhpfklckhciopjlbbiepkn 
  • geokkpbkfpghbjdgbganjkgfhaafmhbo 
  • gfbgiekofllpkpaoadjhbbfnljbcimoh 
  • ghabgolckcdgbbffijkkpamcphkfihgm 
  • glfondjanahgpmkgjggafhdnbbcidhgf 
  • gliolnahchemnmdjengkkdhcpdfehkhi 
  • gnmjmennllheofmojjffnidneaohleln 
  • hdgdghnfcappcodemanhafioghjhlbpb 
  • hdifogmldkmbjgbgffmkphfhpdfhjgmh 
  • hhhbnnlkhiajhlfmedeifcniniopfaoo 
  • higffkkddppmfcpkcolamkhcknhfhdlo 
  • hmakjfeknhkfmlckieeepnnldblejdbd 
  • icnekagcncdgpdnpoecofjinkplbnocm 
  • iejlgecgghdfhnappmejmhkgkkakbefg 
  • igefbihdjhmkhnofbmnagllkafpaancf 
  • igfpifinmdgadnepcpbdddpndnlkdela 
  • iicpikopjmmincpjkckdngpkmlcchold 
  • imfnolmlkamfkegkhlpofldehcfghkhk 
  • jbolpidmijgjfkcpndcngibedciomlhd 
  • jjooglnnhopdfiiccjbkjdcpplgdkbmo 
  • jlhmhmjkoklbnjjocicepjjjpnnbhodj 
  • kafnldcilonjofafnggijbhknjhpffcd 
  • keecjmliebjajodgnbcegpmnalopnfcb 
  • kjeffohcijbnlkgoaibmdcfconakaajm 
  • lcdaafomaehnnhjgbgbdpgpagfcfgddg 
  • lgjdgmdbfhobkdbcjnpnlmhnplnidkkp 
  • lhpbjmgkppampoeecnlfibfgodkfmapd 
  • likbpmomddfoeelgcmmgilhmefinonpo 
  • lipmdblppejomolopniipdjlpfjcojob 
  • lklmhefoneonjalpjcnhaidnodopinib 
  • llcogfahhcbonemgkdjcjclaahplbldg 
  • lmcboojgmmaafdmgacncdpjnpnnhpmei 
  • lpejglcfpkpbjhmnnmpmmlpblkcmdgmi 
  • magnkhldhhgdlhikeighmhlhonpmlolk 
  • mcmdolplhpeopapnlpbjceoofpgmkahc 
  • meljmedplehjlnnaempfdoecookjenph 
  • nadenkhojomjfdcppbhhncbfakfjiabp 
  • nbocmbonjfbpnolapbknojklafhkmplk 
  • ngbglchnipjlikkfpfgickhnlpchdlco 
  • njglkaigokomacaljolalkopeonkpbik 
  • obeokabcpoilgegepbhlcleanmpgkhcp 
  • obfdmhekhgnjollgnhjhedapplpmbpka 
  • oejfpkocfgochpkljdlmcnibecancpnl 
  • okclicinnbnfkgchommiamjnkjcibfid 
  • olkcbimhgpenhcboejacjpmohcincfdb 
  • ooaehdahoiljphlijlaplnbeaeeimhbb 
  • pbdpfhmbdldfoioggnphkiocpidecmbp 
  • pbebadpeajadcmaoofljnnfgofehnpeo 
  • pidecdgcabcolloikegacdjejomeodji 
  • pinnfpbpjancnbidnnhpemakncopaega 

Domains: 

  • serasearchtop[.]com 
  • onlinesly[.]com 

Hashes: 

  • 6E05E35212063D8A8FEFD34B328E55B8FC6C81404CC8C99B65FC9B0A5D7A8CF9 
--> -->