Cybersecurity researchers have revealed that 108 malicious Google Chrome extensions have been silently stealing user information, hijacking Telegram sessions, and injecting unwanted ads and scripts into browsers – all reporting back to the same site.
Findings by researchers at Socket, found that all 108 extensions were communicating with the same command and control server, strongly suggesting that they are the work of a single hacker group.
Between them, before being identified, the extensions collected about 20,000 installations from the Chrome web store.
The malicious add-ons were published under five different publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) in an apparent attempt to avoid detection.
And to further hide the reality of what was going on, each malicious Google Chrome extension adopted a different disguise – including pretending to be a Telegram sidebar client, slot machine games, YouTube and TikTok development tools, or translation tools.
Behind the scenes, according to the researchers, all 108 extensions were transmitting stolen information, user identities, and browsing data to remote servers controlled by criminals.
Specific aggressive behavior includes:
- 54 extensions that stole Google account information – including email addresses, full names, profile pictures, and Google account IDs
- 45 extensions that contain a backdoor that can open arbitrary URLs at the start of the browser
- Privacy-blocking extensions that take out Telegram Web sessions every 15 seconds, and in some cases replace the victim’s time and select criminals.
- Extensions that removed security topics from YouTube and TikTok, and installed gambling ads.
While the identity of those behind the campaign remains unknown, it is perhaps telling that Russian-language comments have been found in the source code of several add-ons.
If you are a regular reader of Hot in Security then you’ll know that browser extension security has been a big problem over the years.
Back in 2018, for example, the Mega.nz Chrome extension was compromised by a malicious update, which led to the collection of login credentials and crypto-currency private keys for silent login authentication and crypto-currency private keys from web explorers.
In 2020, researchers found 49 browser extensions targeting cryptocurrency wallets, which were promoted with Google ads and praised with fake five-star reviews to appear trustworthy.
Recently, in 2023, a rogue “ChatGPT for Google” extension stole Facebook session cookies from more than 9,000 users, and used them to spread malware.
And just this January, another 16 fake ChatGPT-themed extensions were found to be stealing authentication tokens.
Arguably the most shocking incident occurred on Christmas Day 2024, when a phishing email tricked an employee into giving a malicious program access to a Cyberhaven Web Store account. That allowed attackers to push a poisoned update to hundreds of thousands of users. That attack is believed to be part of a wider campaign that compromised more than 35 extensions and affected an estimated 2.6 million people.
If you have installed any of the 108 extensions identified in this latest malicious campaign, your best course of action is to remove them immediately.
In addition, anyone who installed a Dodgy Telegram-related extension should also log out of all Telegram Web sessions through the Telegram mobile app, as attackers may have stolen them.
In general, don’t you think it’s time to clean up your Chrome extensions? Do you really use each one? Do the permissions they’re asking for seem proportionate to what they’re doing? When in doubt, remove it.
After all, a lightweight browser with minimal extensions is definitely a safe browser.
