Malicious developers have been using Google’s Chrome store as a conduit for malware for a long time. Despite Google’s effort to sweep extensions using malicious techniques, code, and behaviors every few months, new extensions that are siphoning off user browser history and credentials keep popping up.
Recently, a newly found spyware effort that attacked users through 32 million downloads was reported by researchers at Awake Security. The extensions under discussion are free and appear to warn users about questionable websites or convert files from one format to another. However, their main purpose is to collect and send out user’s browsing history and data that provided credentials for access to internal business tools.
According to the researchers, based on the number of downloads, this is by far the most far-reaching malicious Chrome store campaign to date.
Although Google has claimed that it removed 70 of the malicious add-ons from its official Chrome store after it was notified, this issue highlights how the tech industry is failing to protect browsers as they are increasingly being used for email, payroll, and other sensitive functions.
While talking to Reuters, Google spokesman Scott Westover said:
When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.
The company has declined to how the latest spyware was more damaging as compared to prior campaigns, what was the breadth of damage and why it was not detected despite constant past promises to supervise offerings more closely.
