Chrome Web Store removes 34 malicious Chrome extensions

Google has removed 34 malicious browser extensions from the Chrome Web Store who shared one download count of 87 million. While these extensions contain legitimate functionality, they can modify search results and push spam or unwanted ads.

Last month, an independent cybersecurity researcher Wladimir Palant discovered a browser extension called “PDF Toolbox” (2 million downloads) for Google Chrome that contains cleverly disguised code to make users unaware of their potential risks.

Chrome Web Store removes 34 malicious extensions with 87 million downloads

The researcher analyzed the PDF Toolbox extension and published a detailed report on May 16. He explained that the code was made to look like one legitimate extension API wrapper. But unfortunately this code was the serasearchtop[.]com” website to inject arbitrary JavaScript code in every web page a user has viewed.

According to the report, the possible abuses Involving hijack search results to display sponsored links and paid results, sometimes even containing malicious links, and stealing sensitive information. However, the purpose of the code remained unknown, as Palant detected no malicious activity.

The researcher also found that the code was set to activate 24 hours after installing the extension, indicating malicious intent, the report said.

In a follow-up article posted on May 31, 2023, Palant wrote that he has the the same malicious code in another 18 Chrome extensions with total downloads of 55 million in the Chrome Web Store.

Palant continued his research two variants of the code which were very similar, but with minor differences:

• The first variant masquerades as Mozilla’s WebExtension browser APIPolyfill. The “config” download address is https://serasearchtop.com/cfg//polyfill.json, and the garbled timestamp preventing downloads within the first 24 hours is localStorage.polyfill.
• The second variant pretends to be Day.js library. It downloads data from https://serasearchtop.com/cfg//locale.json and stores the corrupted timestamp in localStorage.locale.

However, both variants retain the exact random JS code injection mechanism with serasearchtop[.]com.

While the researcher did not observe the malicious code in actionhe noticed several user reports and reviews on the Web Store that indicated that the extensions hijacked search results and randomly redirected them elsewhere.

Although Palant reported his findings to Google, the extensions remained available in the Chrome Web Store. Only after cybersecurity firm Avast confirmed the malicious nature of the Chrome extensions were they taken offline by the search giant.

Palant had mentioned 34 malicious extensions on its website, with total downloads of 87 million. Per date, all these malicious extensions have been removed by Google of the Chrome webshop. However, this does not automatically disable or remove them from their web browsers. Therefore, users are advised to remove them from their devices manually.