Owners of software stores (Google, Apple, Amazon, et al.) have to fight malware just as intensely as security solution vendors do. Like any circle, the process is never-ending: Cybercriminals write malware that worms its way into online stores, whereupon it gets named and shamed (not to mention deleted), the security policy is updated to avoid repeat incidents, and the cybercriminals contrive a way to sneak their creation past the new policy into the store.
We always recommend installing apps from official sources only, but that doesnāt mean that such sites are malware-free, just that thereās less of it than elsewhere. And although Google Play is fairly safe, the Chrome Web Store is a different kettle of piranha. In it, our experts recently discovered a malicious extension that targets usersā bank data.
A Trojan banker in your browser
The culprit was an extension named āDesbloquear ConteĆŗdoā (Portuguese for āUnblock contentsā), which essentially carried out a man-in-the-middle attack. When the user visited their bankās website, a malicious script redirected the traffic through a proxy server belonging to the cybercriminals, allowing them to analyze it and pick out what they wanted.
The malware also contained scripts designed to extract certain information entered by users online. For example, when a user signed visited the bankās login web-page, the malware used a screen overlay perfectly matching the bankās interface but replacing the login, password, and one-time confirmation code fields with its own. When the user pressed the login button, the malware copied the data for itself.
The domain on which the crooked C&C server was located used the same IP address as other domains previously exposed as malicious, which was one of the reasons the scheme caught our researchersā attention. Once theyād confirmed their suspicions, the researchers contacted Google, and the malware was quickly removed from the Chrome Web Store.
Remember that during installation, Chrome extensions request access permissions that often give them near-limitless powers on your computer. Most malicious programs need just one permission: āRead and change all your data on the websites you visitā ā which is pretty powerful.
So, handle extensions with extreme cautionĀ ā theyāre not necessarily benign, although theyāre so easy to install, itās easy to assume they canāt be powerful or do any harm.
Why you should be careful with browser extensions
Protecting against malicious browser extensions
Here are some tips that will help fend off malware masquerading as a handy browser extension:
- Install only extensions that you trust completely. There is no one perfect test for trust, unfortunately, but at least stick to extensions supplied by reputable developers.
- Donāt add extra extensions if you have no real need for them.
- If an extension is no longer necessary, remove it. You can always install it again if need be.
- Use a tried-and-tested security solution such as Kaspersky Internet Security. All new Chrome extensions are automatically sent to us for analysis, so even in the very latest extensions, malware has no place to hide.
Source: kaspersky.com