Malicious New Google Chrome Extensions Could Be Tracking Your Every Move

Tags: Cyber Security, Malware

In late 2017, researchers at Princeton’s Center for Information Technology Policy published a blog post highlighting a group of powerful third-party analytics tools known as session replay scripts. These scripts allowed website owners to monitor mouse clicks, keystrokes and other interactions for individual users across their webpages. According to the study, at least 482 of the top ranked sites on Alexa used session replay scripts to help optimize their digital marketing and design strategies. Computer Login Screen

Google Extensions are Exploiting Session Replay Scripts

While mainstream session replay scripts scrub all identifying information from their replay recordings, less scrupulous operators can exploit these same techniques to capture passwords and credit card details instead of marketing data.

A team of researchers at Trend Micro identified at least 89 Chrome extensions used to spread malware to users across the world. Although these extensions were used to insert pop-up and link advertisements into visited webpages, many older versions deployed scripts that hijacked people's browsers to mine the crypto currency Monero. However, the most alarming aspect of the Droidclub botnet was its use of However, the most alarming aspect of the Droidclub botnet was its use of session replay scripts to record individual browsing sessions. Experts think more than 400,000 computers are infected by these Chrome extensions.

How Droidclub Works

Droidclub uses a mixture of malicious advertising and psychological tricks to lure victims into downloading their extensions.

In most cases, users will be met with an error message that urges them to take instant action to continue using a particular website. When users click the message, it redirects them to a landing page which asks to add an extension onto their computer. If you agree to do so, it will take you to the Chrome Store where the browser will install a seemingly innocuous extension which will have nonsensical descriptions relating to home cooking or interior decorating.

Once the extension is installed it will communicate with malicious servers, transmitting information from your computer and downloading any necessary configuration codes from the back-end. In this way, the extension can send a wealth of sensitive information into the hands of unscrupulous parties on an ongoing basis.

Unfortunately, Droidclub extensions are designed to be difficult to uninstall or even report. Any attempt to do so through the Chrome Store usually results in a redirect back to the initial installation page. If you try to remove the extension through the browser toolbar, you will sent to a fake uninstall page designed to trick you into believing the extension has been uninstalled.

Have Your Systems Been Infected by a Malicious Extension?

Our IT security experts can help protect your data and cloud environment against even the most persistent malware and viruses. We can also provide targeted user training to help your employees identify and avoid security threats on the Internet. Chat with us now to find out more.