Users of social media platforms such as Instagram and Facebook, and other online services, have been warned to be on the alert to third-party Google Chrome and Microsoft Edge browser extensions that are in fact malware delivery mechanisms.
That is according to threat researchers at Avast, who say they have uncovered at least 28 of the dodgy extensions that have, to date, been downloaded about three million times.
The Javascript-based extensions in many cases purport to assist users in downloading videos from the affected platforms to keep, but they contain malicious code that allows the extensions to download malware onto the victim’s device.
The associated malware is able to manipulate the victim’s online experience in many ways, such as redirecting traffic to unwanted ads or malicious phishing websites, or to exfiltrate personal data such as birth dates, email addresses and information on active devices, including IP addresses.
Avast malware researcher Jan Rubín said the team believed the objective behind the malicious activity was to monetise the redirected traffic – for each redirection to a third-party cyber criminal-controlled domain, they will receive some form of payment.
“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware,” said Rubín.
“It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards.”
Rubín has been monitoring the threat since November 2020, but believes it could have been active for at least two years – reviews on the Chrome Web Store mention link hijacking dating back to that period.
He added: “The extensions’ backdoors are well hidden and the extensions only start to exhibit malicious behaviour days after installation, which make it hard for any security software to discover.”
The malware is also hard to detect because it obfuscates its presence if it detects the user is searching for one of its domains or, apparently, if they have web development skills and might therefore be able to spot what it is doing.
At the time of writing, the infected extensions were still available for download, although Computer Weekly understands both Google and Microsoft are aware of the issues and are looking into them.
The current list of detected extensions is: Direct Message for Instagram; DM for Instagram; Invisible mode for Instagram Direct Message; Downloader for Instagram; Instagram Download Video & Image; App Phone for Instagram; App Phone for Instagram; Stories for Instagram; Universal Video Downloader; Universal Video Downloader; Video Downloader for Facebook; Video Downloader for Facebook; Vimeo Video Downloader; Vimeo Video Downloader; Volume Controller; Zoomer for Instagram and Facebook; VK UnBlock. Works fast; Odnoklassniki UnBlock. Works quickly; Upload photo to Instagram; Spotify Music Downloader; Upload photo to Instagram; Pretty Kitty, The Cat Pet; Video Downloader for YouTube; SoundCloud Music Downloader; The New York Times News; and Instagram App with Direct Message DM.
It is important to note that where a specific platform, such as Instagram or Vimeo, is named, none of the extensions are officially associated with those platforms. Users should nevertheless immediately disable or uninstall the extensions at least until the problem is resolved, and then scan for, and remove, the malware.
