Spyware campaign used 70 rogue Chrome extensions with 32 million downloads

Chrome has removed more than 70 malicious Chrome extensions from the Chrome Web Store after a security company uncovered a major spyware campaign. The extensions have been downloaded 32 million times together.

The extensions forwarded business tool login credentials and users’ browsing history, and were specifically designed to avoid detection by antivirus and security software. That is what security company Awake Systems told Reuters.

It has not been disclosed which extensions are involved. According to the security company, these included extensions that convert files to a different format, and extensions that say to warn users about questionable websites.

According to Awake Systems, the extensions were part of the largest spyware campaign on Chrome to date. The company informed Google, after which more than 70 extensions were removed last month. Google confirms the existence and removal of the extensions to Reuters, but does not elaborate on the scale of the abuse.

It is not clear who is behind the distribution of the malware. According to Awake Systems, the creators provided false contact information to Google when submitting the extensions. More than 15,000 domains that the information was sent to are all linked to a small registrar, Galcom from Israel. Awake argues that the registrar should have seen that something was wrong. That registrar denies that.

Infected extensions are still a big problem for Google. At the beginning of this year, the browser maker already took five hundred extensions offline. They were used for malvertising. Although that involved more extensions, they were used by fewer people. In total, this involved 1.7 million downloads.