Spyware extensions removed from Chrome Web Store after 32M downloads

Chrome Web Store under magnifying glass again: 106 add-ons removed for spying on users

Web store offered over 100 spyware extensions

Web store offered over 100 spyware extensions

Warned by Awake Security[1] researchers last month, Google removed over 100 Chrome browser extensions from the official Chrome Web Store on Thursday. According to the company, a spying attack has been observed targeting networks of governmental institutions, entertainment, financial, pharmaceuticals, and other sectors. 

32 million downloads of malicious extensions have been registered. All the spyware-infected browser-based applications were free to download and most of them offered questionable services, such as file conversion or anti-rogue website warnings. 

Based on the gathered information, the bulk of extensions that have been removed are related to the CommuniGal Communication Ltd (a.k.a GalComm)[2] company that has been accused of malicious activities being held over hundred of networks. 

By exploiting the trust placed in it as a domain registrar, GalComm has enabled malicious activity that has been found across more than a hundred networks we’ve examined. Furthermore – the malicious activity has been able to stay hidden by bypassing multiple layers of security controls, even in sophisticated organizations with significant investments in cybersecurity.

GalComm does not take any responsibility and claims having no relationship with the spying activities 

The analysis of the malicious browser-based add-ons on Chrome Web Store pointed researchers to the GalComm company. As pointed by Awake Security co-founder Gary Golomb[3], the company has been found spreading malicious browser-based add-ons now and before. Upon the analysis, researchers found over 60 percent of all app supply exhibits malicious or suspicious activities and, therefore, ask Google and other companies to increase the security measures to protect users from downloading malicious applications for in-browser performances. 

Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60 percent, are malicious or suspicious: hosting a variety of traditional malware and browser-based surveillance tools.

Each of the removed extension has been found participating in a targeted spying affair and exhibited capabilities or screenshot taking, recording keystrokes, collecting browsing history, and even reading saved passwords. 

All Chrome-based extensions were labeled by zero AV tools as malicious or suspicious. Therefore, regardless of how strong the security system is installed on the user’s machine, spyware-infected extensions were not labeled as posing a risk or violating privacy. GalComm is also accused of abusing over 100 networks, thus preventing detection and ensuring persistence. However, the company rejects all accusations saying:

Galcomm is not involved, and not in complicity with any malicious activity whatsoever. You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.

Over 500 extensions have been already removed earlier this year

Chrome Web Store is gradually losing users’ trust due to the lack of control over the applications that people can download freely. Earlier this year, security-related websites[4] kept warning Web Store users about a massive clean-up of malware-infected extensions. At the time, over 500 extensions have been removed. 

According to the researchers, millions of users worldwide must have been affected, although Google refused to comment on the issue. Although these extensions did not have spyware traits, they were used for aggressive advertising and intrusive redirects to malware download sites or phishing pages. 

In addition, some time ago Google found the whole collection of 49 malicious extensions pickpocketing crypto wallets. Most of these apps were rather obscure, presented in a vague way, exhibited repetitive language, fake user’s comments, reviews, and other suspicious traits. However, they managed to reside on the Web Store for quite a while posing users’ risk of ending with their pockets empty. 

Many raise questions about why Google is not strengthening its policies to filter malware from reliable apps on the Chrome Web Store. Google keeps updating its policies and keeps arming up to fight against potentially malicious extensions. The latest update has been released at the end of April 2020[5], though it seems that malware developers keep inventing new strategies to bypass the borders, so people have to take precautionary measures themselves and research extensions before downloading them.