Vicious Google Chrome Extension Is Spying on You

Google Chrome browser is famous for some of the best security tools ever made. Among its pupular features is Safebrowsing which protects users from malicious websites. Actually, ChromeOS, which powers the affordable Chromebooks, is one of the safest systems a user can get.

Despite the fact that the surface of attack is smaller than that of a typical Windows PC, cyber criminals will always find a way to abuse the system. One of the main points of entry is via rogue browser extensions which are increasingly becoming a problem and are being leveraged in different types of attacks ranging from data theft, spying, pop up ads, etc.

In fact, Chrome extensions are rather similar to Android Apps due to the fact that they require certain permissions (access to your contacts, microphone, camera, etc.) and unfortunately more often than not, they require more rights than they ought to have. Besides, plenty of users don’t understand what those mean and after installing these extensions, they forget about them. This is the best opportunity for cyber criminals to push bogus applications and use a little bit of social engineering to coerce end users into downloading malware laden extensions.

For instance, you may accidentally come across a malvertising pushing a website forcing you to install a Chrome extension called iCalc. There is no clean way of closing the window and refusing to install this program. Once you move the mouse close to the address bar or near the close button, an annoying dialog accompanied by a stern audio message would pop up. This extension had signs of being malicious beyond its aggressive distribution method. Despite being listed in the Chrome store, it had no screenshot information or any reviews. Besides, it required invasive permissions for being a calculator.


Actually, there was little if nothing about any calculator in there but rather a set of scripts to create a proxy and perform web requests interceptions. Each browser’s tab was hooked and routed through the following domain:

Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant City: Panama

This extension was pulled out of the Chrome web store after it had been downloaded close to a thousand times. In fact, the most interesting fact here is that shortly after it was removed, the same malvertising campaign push out a different Chrome extension. However, this time the extension aimed at Russian users before also being replaced with a redirect to a social networking website.

Apart from the malware creators, many adware companies are pushing rogue extensions using their usual techniques: free coupons, recipes, videos too good to be true, etc. Usually, their motivation is to harvest your browsing habits and resell them to marketing companies to target you with ads.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.