Suspicious Chrome Extensions with Millions of Installs

Highly Obfuscated Code Raises Concerns

The extensions share other dubious or suspicious similarities. Much of the code in each one is highly obfuscated, a design choice that provides no benefit other than complicating the process for analyzing and understanding how it behaves.

Unlisted and Featured Extensions

All but one of them are unlisted in the Chrome Web Store. This designation makes an extension visible only to users with the long pseudorandom string in the extension URL, and thus, they don’t appear in the Web Store or search engine search results. It’s unclear how these 35 unlisted extensions could have fetched 4 million installs collectively, or on average roughly 114,000 installs per extension, when they were so hard to find.

"Featured" Extensions with Questionable Behavior

Additionally, 10 of them are stamped with the “Featured” designation, which Google reserves for developers whose identities have been verified and “follow our technical best practices and meet a high standard of user experience and design.”

Example: Fire Shield Extension Protection

One example is the extension Fire Shield Extension Protection, which, ironically enough, purports to check Chrome installations for the presence of any suspicious or malicious extensions. One of the key JavaScript files it runs references several questionable domains, where they can upload data and download instructions and code:

Common Domain

One domain in particular—unknow.com—is listed in the remaining 34 apps.

Analysis and Conclusions

Tuckner tried analyzing what extensions did on this site but was largely thwarted by the obfuscated code and other steps the developer took to conceal their behavior. When the researcher, for instance, ran the Fire Shield extension on a lab device, it opened a blank webpage. Clicking on the icon of an installed extension usually provides an option menu, but Fire Shield displayed nothing when he did it. Tuckner then fired up a background service worker in the Chrome developer tools to seek clues about what was happening. He soon realized that the extension connected to a URL at fireshieldit.com and performed some action under the generic category “browser_action_clicked.” He tried to trigger additional events but came up empty-handed.

Conclusion

The suspicious Chrome extensions with millions of installs raise questions about the security and trustworthiness of the Chrome Web Store. The highly obfuscated code, unlisted and featured extensions, and questionable behavior of some extensions suggest that something is amiss.

FAQs

Q: What is the purpose of the suspicious Chrome extensions?

A: The purpose of the extensions is unclear, but they appear to be collecting data and potentially uploading it to various domains.

Q: How did these extensions manage to accumulate 4 million installs?

A: It is unclear how these extensions managed to accumulate 4 million installs, given that most of them are unlisted in the Chrome Web Store.

Q: What is the significance of the "Featured" designation?

A: The "Featured" designation is typically reserved for developers whose identities have been verified and who follow Google’s best practices and meet high standards of user experience and design.

Q: What should users do if they have installed one of these extensions?

A: Users who have installed one of these extensions should remove it immediately and run a virus scan to check for potential malware.