(Reuters) – A newly discovered spyware campaign attacked users through 32 million downloads of extensions to Google's market-leading Chrome web browser, Awake Security researchers told Reuters, stressing that the tech industry is not protecting browsers as it is more Mail, payroll and other sensitive functions.
Alphabet's Google said it removed more than 70 of the malicious add-ons from its official Chrome web store after researchers pointed out last month.
"When we are notified of web store enhancements that violate our policies, we take action and use these incidents as training material to improve our automated and manual analytics," Google spokesman Scott Westover told Reuters.
Most free extensions are designed to warn users of questionable websites or convert files from one format to another. Instead, they removed the browsing history and data that provided credentials to access internal business tools.
According to the number of downloads, Gary Golomb, co-founder and chief scientist of Awake, said it was the most far-reaching malicious Chrome Store campaign to date.
Google declined to discuss how the latest spyware compared to previous campaigns, the breadth of the damage, or why, despite previous promises to monitor offers more closely, failed extensions were not recognized and removed.
It is unclear who is behind the efforts to spread the malware. According to Awake, the developers provided fake contact information when they submitted the extensions to Google.
"Anything that brings you into someone's browser, email address, or other sensitive area is a target for national espionage and organized crime," said former National Security Agency engineer Ben Johnson, who works for the carbon security company Black and Obsidian Security founded.
The extensions were designed to avoid detection by anti-virus companies or security software that assesses the reputation of web domains, Golomb said.
If someone used the browser to surf the Internet on a home computer, they would connect to a number of websites and transfer information, the researchers found. Anyone using a corporate network that includes security services would not transfer the confidential information or even reach the malicious versions of the websites.
"This shows how attackers can use extremely simple methods to hide thousands of malicious domains in this case," said Golomb.
All of the domains in question, a total of more than 15,000 connected, were purchased from a small registrar in Israel – Galcomm – who is officially known as CommuniGal Communication. Awake said Galcomm should have known what was going on. In an email exchange, Galcomm owner Moshe Fogel told Reuters that his company had done nothing wrong.
"Galcomm is not involved in malicious activities," wrote Fogel. “You can say exactly the opposite; We work with law enforcement and security agencies to prevent as much as possible. "
Fogel said there was no record of the requests Golomb made to the company's email address in April and again in May to report abusive behavior, and asked for a list of suspicious domains. Reuters sent him this list three times without a factual response.
The Internet Corp for Assigned Names and Numbers, which monitors registrars, said it had received few complaints about Galcomm over the years and none about malware.
While deceptive extensions have been a problem for years, they are getting worse. They initially spat out unwanted advertisements and are now more likely to install additional malware or track where users are and what they are doing for governmental or commercial spies.
Malicious developers have long used Google's Chrome Store as a conduit. After one in ten submissions were rated malicious, Google said in 2018 that this would improve security, including through increased human screening.
In February, independent researcher Jamila Kaya and Duo Security from Cisco Systems discovered a similar Chrome campaign in which data from around 1.7 million users was stolen. Google participated in the investigation and found 500 fraudulent extensions.
"We're regularly looking for extensions with similar techniques, codes, and behaviors," said Westover of Google in a language identical to that used by Google for Duo's report.
(Reporting by Joseph Menn, editing by Greg Mitchell and Leslie Adler.)