Attackers planted dozens of malicious Chrome extensions on Google’s Chrome Web Store and created a botnet of 500,000 PCs that now inject ads, mine cryptocurrency, and track users with sophisticated web behavioral analytics.
Awareness of the so-called “Droidclub” botnet comes on the heels of a handful of malicious extensions found in Google’s official store that were also downloaded around 500,000 times.
Researchers at TrendMicro identified 89 Droidclub extensions on the Chrome Web Store, which have now been removed by Google, but only after being installed by 424,000 users. The extensions were also distributed through malvertizing.
As well as hijacking browsers to mine Monero and display ads, Droidclub extensions contain software libraries that enable “session replay scripts”. The invasive technique has been used by some site operators to observe the behavior of their users. Researchers recently highlighted problems with the technique since the script can record and playback exactly what the user typed on a targeted page, including a login page.
“This library enables a feature called session replay, which can record various user actions like mouse clicks, scrolling, and keystrokes,” wrote Trend Micro fraud researcher Joseph Chen.
“Unfortunately, in the hands of an attacker, this represents a very powerful tool that can breach the user’s privacy. The combination of the extension and the library can steal data entered into forms such as names, credit card numbers, CVV numbers, email addresses, and phone numbers.”
Chen notes the library is designed not to capture passwords, so the attacker doesn’t capture these. But even without passwords, the data that it can automatically steal is potentially valuable.
Interestingly, the extensions on the Chrome Store aren’t the hook to infect users. As Chen notes, the extensions are weird and “slightly nonsensical” — like “Chicken for a Barbecue” extension about brining chicken with an image of fried chicken next a ramekin of fish sauce and chili.
Rather, using malicious ads, the attacker displays bogus error messages in the browser that encourage the user to install an extension in order to view the content. Click OK and the extension downloads and a subsequent prompt asks the user if they want to proceed and install the extension. Once this happens, the extension calls and regularly checks in with the attacker’s command and control server.
The malicious extensions contain features to make it difficult to uninstall and report the bad behavior. If the user tries to report the issue, they’re redirected to the introduction page of the extension they want to remove. It also has a bogus page that suggests the extension has been uninstalled when it has not.
In a statement to Trend Micro, Google said it had addressed the issue by removing the extension from the store and disabled them on devices of all affected Chrome users.