01.20.14

Beware: Chrome malicious plugins

Hackers buy chrome plugins in order to turn them into malware.

Virus developers put their hands on legitimate and popular plugins and turn them into hacking tools, specifically because the plugins are considered legitimate, most antivirus programs do not detect their activity. So how can you identify the affected plugins and dispose them?

It is known that for quite some time malware writers are buying Chrome supplements known as plugins in order to take advantage of the automatic update capabilities integrated into the Google browser extensions feature and push updates to users that turn the plugins into malware.

There have been several cases where legitimate extension developers were surprised to get offers to sell their plugins, and were more surprised to later find out that in fact the purchasers have turned the plugins into malware.

One example was exposed in a blog of a colleague named Amit Aggarwal, who said that he received a four-digit offer to purchase his plugin, which is used by more than 30 thousand users. Aggarwal, who invested only about an hour in developing his plugin, obviously agreed to the deal. One month later, he noticed that the new owners released an automatic update that did not include any new features or bug fixes, rather, they combined advertising supplement and invisible Ads working in the background and replaced user links with co-advertising vendors.

As a result, the plugin rating was dropped, however it seems that many users are unaware of the change, since the number of users using the plugin currently stands at about 31 thousand, similar to the number on the sale date.

Aggarwal’s case is not the only one. About a month ago, a plugin called ‘Tweet This Page’ started to introduce various advertisements for websites and hijack searches carried out by Google. A quick check revealed a few more plugins that carried out a similar move, and even a plugin designed to prevent other plugins from displaying advertisements .

So how can you get rid of such malicious plugins?

The identification of these plugins can be problematic, since they are usually not detected by antivirus software. If your chrome browser starts acting strange and displays bizarre advertisements, or Google search displays suspicious results or links that lead to unexpected places, you may also fell victim to this method.
Currently, the best way is to try and locate the suspicious plugin at Chrome Extensions page and one by one disable all plugins that can be the cause (no need to check plugins developed by Google), until the problem is gone – then deleting the last disabled plugin. At best, there will not be other actions required, but it is not impossible that a malicious plugin will find a way to leave traces on your computer even after deletion.

Unfortunately, there is no Chrome option to prevent automatic updating of plugins, and the only way to monitor the updates is to . . . install a plugin that announces when each other plugin is updated.