Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google’s store.
The researchers said they have been tracking a “massive global surveillance campaign that affects almost every enterprise we have investigated” linked to a specific Israel-based domain registrar called Communigal Communication Ltd (Galcomm).
The story begins with some heuristic malware detection by Awake, looking for things like signs of uploads going to rare or known bad destinations. This led them to a bunch of malicious browser extensions, 111 in total, which “were found to upload sensitive data or not perform the task they’re advertised to perform (generally, they surveil user activity and device properties.”
Of these, Awake reported, 79 were available in the Chrome store, the official source for Chrome browser extensions (and also now usable by Microsoft’s Chromium-based Edge). A common technique, they said, is that the developer gets a clean version of an extension approved, and later updates it with the malicious payload.
Some of the suspicious extensions have a reassuring number of reviews and downloads, in one case more than 22,000 reviews and 10 million downloads, presumably achieved by bot activity.
Another popular approach is to clone a genuine extension and bundle it with malware. “Awake has since worked with Google to take down these extensions from the Chrome Web Store,” said the report, but no doubt more are on the way.
The browser can reveal ‘keys to the kingdom’
A point made by the researchers is that widespread enterprise migration to the cloud often also implies that business activity is frequently done within the browser. “Rogue access to the browser therefore frequently means rogue access to the ‘keys to the kingdom’ – from email and corporate file sharing to customer relationship management and financial databases,” they said, dubbing browser extensions “the new rootkit.”
After all, there is no need to break into the operating system if valuable data can be extracted via the browser alone.
If the user can be tricked into allowing it, a browser extension can have considerable power. “When the permission requires access to all data on your computer and the websites you visit, it means that the app or extension can access almost anything. This could be your webcam or personal files, inside or outside of your browser,” notes Google. Many dodgy extensions pose as security utilities, which typically do require a high level of permission to work.
A developer on Hacker News said: “I’ve been developing Chrome extensions full-time for about a year now, and it’s honestly terrifying just how much access extensions have to sensitive user data.”
The problem, he said, is that “on more established platforms like iOS and Android, all sensitive permissions have to be requested at runtime rather than at install-time, which forces developers to explain why they need the permissions they ask for. With browser extensions, there’s no such requirement, which leads many developers to ask for all the permissions they can get, because there’s no downside to doing so.
“That’s why over 80 per cent of the top 1,000 extensions ask for access to ALL domains, which means they have the power to steal any of your data (emails, passwords, etc) on any site if they wanted or became compromised.”
The Chrome team is improving this by requiring permissions to be requested at runtime in a forthcoming update, he said, but right now “the extension ecosystem is pretty broken.”
The most disturbing part of the report is the claim that there have been 32,963,951 downloads of extensions that “advertise one function (like security) but actually do nothing other than send information about the endpoint or user-activities to Galcomm-registered domains.”
The browser is becoming the soft underbelly in many organisations’ security infrastructure, particularly during the COVID-19 pandemic with many users working remotely…
Some of these downloads will be artificial, but the researchers said: “We believe the actual number of endpoints with these extensions is not substantially less, and quite likely more.” The possibility of an underestimate comes about because the extensions can also be loaded from websites which bypass the Chrome Store, “making it difficult to get an install count for these.”
In general, the Awake team said the security industry is complacent about malware that extracts data, which is often labelled as “PUPs, Adware or Greyware” by most antivirus products, understating the risk it poses. “Security teams think of PUPs/Adware as the type of apps that annoyingly popup coupons, and many times security teams do not remediate PUP detections because of resource constraints. This is a dangerous strategy.”
Awake also presents some data on Galcomm, the registrar that links the various extensions and other malware in the report. “Our analysis shows that almost 60 per cent of the domains we have observed registered with this registrar are high risk for organizations,” the research team claimed.
The researchers pointed the finger at ICANN, which oversees the accreditation of registrars, for doing little to enforce requirements such as responding quickly to “well-founded reports of illegal activity.”
“Even these minimal requirements from ICANN … are not being followed by Galcomm. This lack of oversight by ICANN seems to point towards a general indifference to the implementation and execution of these rules,” they said.
Awake said its threat researchers “made several attempts to contact Galcomm by phone, email ([email protected], [email protected], and [email protected]), and the contact form on their website, asking questions like ‘Given these domains account for approximately 60 per cent of the total domains Galcomm currently has on the internet, how could this go unnoticed by the company?'”
The researchers added that “we have received no response from Galcomm at publishing time of this paper, nor have we observed any decrease in malicious activity associated with their domains.”
Galcomm refutes claims
The Register had better luck. Galcomm owner Moshe Fogel told us: “We are aware of this report. The report is at least irresponsible, if not worse. It is based on an incorrect data, where 25 per cent of the domains they claimed to have checked are either not at Galcomm or deleted.
“From those that are with Galcomm, almost all are parked domains, mostly with the largest domain parking companies worldwide. The rest are still being investigated.” He went on to claim: “Moreover, Awake have not even asked for our quote or response on that issue before publishing a report. I got the domains in question via a third party who was asking me about this.”
Is the situation as bad as Awake says? “It is unclear from the report as to what impact the detected malicious extensions could have on the affected organisations,” security consultant Brian Honan told The Register.
“However, this is not the first time campaigns have been identified that take advantage of malicious extensions for web browsers and highlights enterprises need to be more proactive in how they manage the security of browsers. Allowing end users to install whatever browser extensions they want can expose an enterprise to potential harm.
“Given that more and more of our online communications are happening via browsers, such as email, messaging, collaboration platforms, and other corporate tools, the browser is becoming the soft underbelly in many organisations’ security infrastructure, particularly during the COVID-19 pandemic with many users working remotely and relying more and more on their browsers to work.”
Honan suggests using Google’s Chrome Browser Cloud Management tools to control extensions.
Ex-Sophos consultant Graham Cluley concurred. “Browser extensions have a scary amount of power, and if you happen to be running one that has gone rogue you should consider everything you do in your browser to be compromised.”
We have approached Google and ICANN for comment and will update this piece accordingly if they respond. ®