Avast Discovers 32 Malicious Chrome Extensions with 75 Million Installs

In the ever-evolving cybersecurity landscape, new threats emerge every day. Recently, Avast’s team discovered a series of malicious browser extensions on the Chrome Web Store that were spreading adware and hijacking search results. These threats affected approximately 24,000 users and potentially millions more worldwide. The investigation began when cybersecurity expert Wladimir Palant identified malicious code in the PDF Toolbox extension prompting Avast to investigate further.

Avast found 32 malicious extensions with a total of 75 million installs on the Chrome Web Store. These extensions offered a range of functionalities from adblocks and downloaders to browser themes and tab managers. Additionally, 50 other extensions have already been removed from the store. While the install counts are alarming, Avast suspects they may have been artificially inflated due to suspiciously low review numbers on the Chrome Web Store.

The nature of malicious browser extensions makes them particularly dangerous as they appear to provide legitimate functionality at first. However, hidden within their code lies malicious code designed to deliver adware that inundates users with unwanted ads. The extensions also include a search result hijacker that alters search experiences by displaying sponsored links and potentially harmful content.

Avast has a history of working closely with Google to report and remove malicious extensions and apps. In this case, Avast reported the findings to Google, resulting in the removal of all malicious extensions from the Chrome Web Store. Avast has also taken measures to block the backdoor communication of these malicious extensions, ensuring the safety of its users.

The Importance of Cybersecurity Vigilance

Users must exercise caution when installing browser extensions, even from official sources like the Chrome Web Store. It is advisable to check the developer’s reputation, read reviews, and be wary of extensions that request excessive permissions or appear to have unrelated functionalities. Avast will continue to monitor the situation and provide updates to keep users informed and protected.

Avast researcher Jan Vojtěšek has identified several Indicators of Compromise (IoC) related to the malicious extensions:

Extension IDs:

• aeclplbmglgjpfaikihdlkjhgegehbbf
• afffieldplmegknlfkicedfpbbdbpaef
• ajneghihjbebmnljfhlpdmjjpifeaokc

Domains:

• serasearchtop[.]com
• onlinesly[.]com

Hashes:

• 6E05E35212063D8A8FEFD34B328E55B8FC6C81404CC8C99B65FC9B0A5D7A8CF9

This discovery serves as a reminder of the importance of cybersecurity vigilance and the potential risks associated with browser extensions. By staying informed and cautious, users can protect themselves from falling victim to malicious online threats.