![](\"https:\/\/media.wired.com\/photos\/5a6a5d9534ecd30ae89baac4\/master\/pass\/ChromeExtensionSecurity.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Tue, 30 Jan 2018 12:00:00 +0000<\/strong><\/p>\n You already know <\/span>to be wary of third-party<\/a> Android apps, and even to watch your back in the Google Play Store<\/a>. A flashlight app with only 12 reviews might be hiding some malware as well. But your hyper-vigilant download habits should extend beyond your smartphone. You need to keep an eye on your desktop Chrome extensions as well.<\/p>\n These handy little applets give you seamless access to services like Evernote or password managers, or put your Bitmoji just a click away. As with Android apps, though, Chrome extensions can sometimes hide malware or other scourges, even when you install them from the official Chrome Web Store. Google says that malicious extension installs have decreased by roughly 70 percent over the last two and a half years, but a steady stream of recent research findings show that the problem, and risk to users, is far from resolved.<\/p>\n \u201cWhat we\u2019re seeing is an increase in criminal use of extensions,\u201d says William Peteroy, CEO of the security firm Icebrg. \u201cAnd when we start to see criminal pickup on things it absolutely meets our bar that this is something we need to pay attention to, and something users need to start paying a lot more attention to than they are right now.\u201d<\/p>\n Other browsers suffer a similar onslaught, but with almost 60 percent market share<\/a>, attacks on Chrome users will generally affect the largest number of people, making it a prime target for criminal hackers. Icebrg recently highlighted four malicious extensions in the Chrome Web Store that had more than 500,000 downloads combined. The extensions masqueraded as standard utilities, with names like \u201cStickies\u201d and \u201cLite Bookmarks.\u201d The researchers saw indications, though, that they were actually part of click-fraud scams to boost revenue for attackers. And the extensions requested enough privileges that they could have snooped even more, accessing things like user data, and tracking their behavior. Google removed the four extensions after Icebrg disclosed them privately.<\/p>\n \u201cSince the creation of the extensions platform, we\u2019ve worked hard to keep the extensions ecosystem free from malware and abuse,\u201d says James Wagner, a Chrome product manager at Google. \u201cWe're using machine learning to detect malicious behavior in extensions, and \u2026 we\u2019ve been particularly focused on cracking down on abusive distribution methods.\u201d In particular, the Chrome team has been working to detect and block situations where websites push users to get an extension, sometimes trapping them in layers of installation pop-ups that try to trick people into installing.<\/p>\n In spite of these efforts, though, malicious extension campaigns pop up regularly. Part of the problem: Chrome is already a trusted application. When users give it permission to run certain code, like an extension, their operating system and most antivirus products usually give it a free pass. And the more systems and services move into the browser\u2014like Microsoft 365 and Google\u2019s G Suite\u2014the more valuable data and network access a malicious Chrome extension could potentially get.<\/p>\n In addition to distributing malicious apps through mechanisms like phishing and compromised sites, attackers have also refined techniques to smuggle their extensions into the Chrome Web Store, and then modify them remotely once downloaded to add or activate nasty features.<\/p>\n In October, Google removed three extensions impersonating AdBlock Plus, one of which had almost 40,000 downloads. That same month, researchers at Morphus Labs discovered an extension<\/a>, dubbed \u201cCatch-All,\u201d that launched from a phishing attempt targeting WhatsApp users, mimicked an Adobe Acrobat installer, and then captured all the data users entered while browsing in Chrome once installed, including usernames and passwords.<\/p>\n In December, researchers at the internet security firm Zscaler found an extension that lifted login credentials<\/a>, cookies, and financial data from users who visited and logged into Banco do Brasil websites and accounts. And this month, the software security company Malwarebytes published findings<\/a> about an extension (built for both Chrome and Firefox) called \u201cTiempo en colombia en vivo\u201d that forced itself to install when users visited compromised web pages and then was deviously difficult to uninstall. Malwarebytes researcher Pieter Arntz said that he couldn\u2019t even completely analyze what the extension\u2019s operations and goals were, because it was coded with extensive obfuscation.<\/p>\n When hackers put effort into masking the true intent of software, it generally indicates that an arms race is ramping up. Obfuscation and runtime changes are the same techniques attackers use to sneak malicious mobile apps into the Google Play Store and Apple\u2019s App Store.<\/p>\n \u201cI think the exposure is huge,\u201d says Jake Williams, a penetration tester and malware analyst who founded Rendition Infosec. \u201cIt's trivial for an attacker to get their extension published and then change the behavior dynamically after it's published."<\/p>\n The Icebrg researchers who found four malicious extensions downloaded half a million times say that they found the scale of infections worrying. And though Chrome\u2019s improved defenses have clearly worked well enough to motivate new innovations from attackers, this next generation of malicious extensions may prove challenging to contain.<\/p>\n 'It's trivial for an attacker to get their extension published and then change the behavior dynamically after it's published.'<\/p>\n Jake Williams, Rendition Infosec<\/p>\n \u201cWhat we saw in our research was that this was undetected and active across a large swath of enterprises,\u201d Icebrg\u2019s Peteroy says. \u201cThey\u2019re successful in bypassing Google\u2019s efforts to create security around extensions. And because extensions run at the application layer, running in the browser, it completely bypasses a lot of protections.\u201d<\/p>\n The crucial thing you can do to protect yourself from malicious Chrome extensions is to choose what you download carefully and only use extensions from trusted sources, whether you're in the Chrome Web Store or getting an extension from a specific developer. It\u2019s also important to check what permissions each extension asks for when you install it, to make sure there\u2019s nothing strange in the list, like a calculator tool that wants access to your webcam. And regularly review the list of Chrome extensions you have installed by going to \u201cWindow\u201d and then \u201cExtensions,\u201d so you can catch anything you don\u2019t want and use that has snuck in.<\/p>\n Google says that more people are using Chrome extensions than ever, which makes sense, because they're convenient and useful. But don't go nuts downloading every weather tracker and emoji generator out there. There's a lot more at stake than you might think.<\/p>\n While you’re tidying up your security, check out these crucial iOS 11 privacy and security settings<\/a><\/p>\n Or these Facebook settings that keep you as hidden as possible<\/a> from strangers and advertisers (and strange advertisers)<\/p>\n And Android friends, a gentle reminder to never, ever download outside the Google Play Store<\/a>\u2014with the possible exception of the open-source F-Droid<\/a><\/p>\n