Google Takes Down 3 Fraudulent VPN Extensions with 1.5 Million Users from Chrome Web Store

Beware of Malicious Chrome Extensions: Insights from Reason Labs

In a significant cybersecurity discovery, researchers at Reason Labs unveiled the presence of three malevolent Chrome web extensions that have collectively amassed around 1.5 million installations. Initially disguised as credible VPN services, these extensions have infiltrated users’ browsers through torrent downloads.

Distribution Methods of Malicious Extensions

The insidious spread of these extensions was predominantly through torrent files of widely popular video games. Reason Labs highlighted specific titles such as Grand Theft Auto, The Sims 4, Heroes of Might and Magic III, and Assassin’s Creed, all of which were reportedly used to lure unwitting users. Astonishingly, the trojan installer was embedded within over 1,000 different torrent files claiming to provide access to premium games.

Installer Characteristics

**File Size**: These dubious setup files range from 60 MB to 100 MB.
**Signee Information**: The frequent use of the signee name “Spice & Wok Limited” suggests a consolidated attempt to legitimize the installers, though other names were utilized as well.
**Automatic Installation**: Upon execution, the installer silently deploys one of the malicious extensions to the user’s browser without any interaction.

The stealthy installation process manipulates a Windows Registry key located at SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings\, enabling it to bypass users entirely. This tactic, however, is not new; similar methods were uncovered as early as 2014.

Impact on Users and Devices

Upon installation, users unwittingly adopted two different extensions: netSave for Chrome and netPlus for Microsoft Edge, with the malicious Chrome extension alone achieving over 1 million installations, as cited by the researchers. The JavaScript code associated with these extensions—spanning over 20,000 lines—complicates analysis efforts, while the malicious extension masquerades as a VPN and deploys what experts term a cashback activity hack.

Unveiling the True Intentions

**Disabling Competitor Extensions**: The installed extension acts to disable other legitimate cashback-related extensions already in the browser.
**Fake VPN Interface**: A counterfeit VPN user interface is presented to users, concealing its ulterior motives.
**Targeted Demographic**: The malware appears to cater to Russian-speaking individuals, predominantly impacting users in Russia, Ukraine, and Kazakhstan.

Safety Recommendations for Browser Users

In response to these alarming findings, Reason Labs promptly notified Google, resulting in the swift removal of the malicious extensions from the Chrome Web Store. However, Chrome and Edge users are urged to actively scrutinize their list of installed extensions to ensure these harmful add-ons are not present on their devices.

Essential Precautions to Consider

**Utilize Legal Sources**: Only download extensions, games, and programs from verified and legitimate sources.
**Regular Antivirus Updates**: Maintain a current antivirus program to safeguard against threats.
**Caution with Links**: Refrain from clicking on unfamiliar links or popup advertisements.
**Implement Two-Factor Authentication**: Strengthen security with two-factor authentication across accounts wherever possible.

For those interested in a deeper dive, technical details regarding this research can be accessed on the Reason Labs website.

Your Turn: Are you cautious about the browser extensions you use?

Additional Insights

1. How can I tell if an extension is malicious?

Look for extensions that have a low number of users, poor reviews, or lack clear developer information. Be wary if the extension requests excessive permissions that seem unnecessary for its functionality.

2. What should I do if I suspect a malicious extension is installed?

If you believe you’ve installed a malicious extension, immediately remove it from your browser settings. Additionally, run a full antivirus scan to ensure no further threats exist on your device.

3. Are there safe ways to download software from torrents?

While downloading from torrents carries inherent risks, using reputable torrent sites and ensuring any downloaded files are scanned for malware can mitigate some dangers. Always prioritize downloading from recognized sources.

Source & Images