Jakarta, INTI - Cybersecurity firm Socket discovered 108 malicious extensions in Google Chrome designed to steal user data, insert ads, and create backdoor access. Although these extensions have been downloaded over 20,000 times, a small number compared to the total of Chrome users, this threat is considered serious due to its well-coordinated nature.
According to Socket’s report, these extensions were published through five different developer accounts: GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project. However, they were all connected to a single command and control (C2) infrastructure, indicating a centralized operation behind their distribution. Security researcher Kush Pandya noted that data such as user credentials, identities, and browsing activity were sent to servers managed by the same developers.
Data Theft to Suspicious Ads
From the total of 108 extensions, 54 of them were found to target Google account theft through the OAuth2 protocol. It allows attackers to access victims' email addresses, names, and profile pictures. Meanwhile, another 45 extensions contained universal backdoors that could automatically open specific links when the browser was launched.
To avoid suspicion, these extensions disguised themselves as seemingly normal tools, such as Telegram clients, slot games, or YouTube and TikTok optimization tools. Some extensions, such as Telegram Multi-account and Web Client for Telegram - Teleside, can even take over Telegram accounts by stealing active user sessions.
Furthermore, five extensions were found to exploit Chrome's declarativeNetRequest API to remove a website's security layer, making it easier to insert malicious ads like gambling ads. While the perpetrators have not been identified, initial indications include Russian-language comments in some of the programs.
Socket has reported these findings to Google, but some extensions are still available in the Chrome Web Store. Affected users are advised to immediately remove these extensions and log out of all Telegram Web sessions to secure their accounts.
Conclusion
Socket discovered 108 malicious extensions in Google Chrome that had been downloaded over 20,000 times. These extensions were being used to steal user data, take over accounts, and insert ads through a centralized network. These extensions disguised themselves as common tools, targeting Google and Telegram accounts. Although reported to Google, some are still available, so users are advised to remove them immediately and secure their accounts.
Read more: Meta Faces Potential Sanctions from The EU for Hindering Other AI Providers on WhatsApp