Malicious extensions do occasionally find their way into the Chrome Web Store (and similar libraries in other browsers) by posing as legitimate add-ons. They are particularly difficult to catch when they are benign to begin with, only morphing into malware after gaining user trust.
That’s what happened with a number of extensions on Google Chrome and Microsoft Edge: researchers at Koi Security identified add-ons across both browsers that operated legitimately for several years before receiving malicious updates that allow hackers to surveil users and collect and exfiltrate sensitive data. The scheme, known as ShadyPanda, reached four million downloads and is still active on Edge.
Threat actors ran a similar campaign targeting Firefox earlier this year: They gained approval for benign extensions mimicking popular crypto wallets, accumulated downloads and positive reviews, and then injected the add-ons with malicious code capable of logging form field inputs, which they used to access and steal crypto assets.
Browser extensions can turn bad
As Koi Security outlines, ShadyPanda started out as an affiliate scam, with 145 extensions masquerading as wallpaper and productivity apps across the two browsers. The initial phase injected affiliate tracking codes and paid commissions with clicks to eBay, Amazon, and Booking.com and then evolved to hijack and manipulate search results before launching the five extensions in 2018 that would later be converted to malware.
Those add-ons were marked as Featured and Verified in Chrome—one, a cache cleaner known as Clean Master, accrued a 4.8 rating from thousands of reviews. The extensions were updated in 2024 to run malware that could check hourly for new instructions and maintain full browser access, feeding information to ShadyPanda’s servers. (These have since been removed from Chrome.)
Hackers launched an additional five extensions, including WeTab, to Edge in 2023. Two are comprehensive spyware, and all were still active as of Koi’s report.
How to find malicious extensions in Chrome and Edge
Unfortunately, malicious extensions are usually pretending to be something else, so a quick visual check of your installed extensions may not reveal a problem. In this case, Koi Security has a list of the extension IDs associated with the ShadyPanda campaign, and you’ll have to search for them one by one.
In Chrome, type chrome://extensions/ into your address bar and hit Enter. Toggle on Developer mode in the top-right corner to reveal the IDs for installed extensions. From here, you can copy and paste each ID into the search bar (Ctrl+F on your PC or Cmd+F on your Mac). If there are no results, your browser is safe. If you do find a malicious add-on, click the Remove button. In Edge, follow the same process from edge://extensions/.
While this campaign shows that extensions can be weaponized long after they’ve been installed, you should still follow best practices for vetting browser add-ons just as you would apps for your device. Check the name carefully, as fraudulent extensions often have names that are nearly identical to trustworthy ones. Review the description for any red flags, such as misspellings and unrelated images. If you see a lot of positive reviews in a short amount of time on a new extension, or if they seem to be reviewing something else entirely, proceed with caution. You can also do additional research, such as a search on Google or Reddit, to see if the extension is legit.
Original Source: https://lifehacker.com/tech/spot-sleeper-browser-malware-extensions?utm_medium=RSS
Disclaimer: This article is a reblogged/syndicated piece from a third-party news source. Content is provided for informational purposes only. For the most up-to-date and complete information, please visit the original source. Digital Ground Media does not claim ownership of third-party content and is not responsible for its accuracy or completeness.
