- Researchers find malicious browser extensions can assume the appearance of any other installed in the browser
- It can also disable other extensions that completely fool the victim completely
- The extension can steal sensitive passwords, cryptos and more
CyberSecurity scientists have found malicious form change of Google Chrome browser extensions in the wild, able to change their appearance to virtually anything else installed on the target unit, open the doors of credentials, cryptocurrency theft and possibly even wire fragment.
Researchers from Squarex said they discovered a malicious browser extension that first seems to be benign. It can be a “modest AI tool” or pretty much anything else. Once installed, it will behave as expected for at least a while while analyzing which other extensions are installed in the browser.
If it sees something particularly interesting (such as a crypto design book, for example), the expansion will completely transform its appearance, including the interface, the shortcut icon and everything else, to look exactly the same. It will then disable the legitimate expansion, so it is the only thing that offers the special functionality – which means it is almost impossible for the victim to realize that they are targeted.
Feature, not an error
To make things worse, the researchers said that malware just abuses the design of browsers and extensions.
There are no errors, no vulnerability is utilized, which means that cyber security solutions, antivirus programs and other final point protection tools cannot mark it or remove it. It also gets worse – the extensions only require intermediate risk permits, the same required by passwords and similar tools. Therefore, malware cannot even be detected by the Chrome Store and other security teams that simply look at the code.
They call them “polymorphic extensions” and believe they are a whole new class of malware. They said malware affects “most major browsers, including chrome and edge”.
“Browser extensions pose a great risk to businesses and users today,” commented Squarex founder, Vivek Ramachandran.
“Unfortunately, most organizations have no way to revise their current extension imprint and to check if they are malicious. This further emphasizes the need for a browser -inborn security solution such as browser detection and response, similar to what an EDR is for the operating system. “
Google has been notified but has not yet answered.
