Google has removed over one hundred Chrome extensions from its Chrome Web Store following a report from the cyber security company Awake Security, which discovered a total of 111 Chrome add-ons that were used for malicious purposes.
According to the firm, the uncovered malicious extensions were capable of taking screenshots of the victim device, loading malware, reading the clipboard, harvesting tokens and monitoring keystrokes.
The researchers say that this is one of the largest campaigns targeting Chrome users discovered to date.
“To date, there have been at least 32,962,951 downloads of these malicious extensions—and this only accounts for the extensions that were live in the Chrome Web Store as of May 2020. For context, very few extensions have been downloaded more than 10 million times,” the company says.
According to Awake, some of the malicious extensions were found on the networks of "financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations," suggesting they could be used as spying tools, although the company did not find any evidence that these extensions were used in such a way.
The list of the 111 malicious extension IDs can be found here.
Awake believes that the mastermind behind this campaign is a single threat actor, which the researchers have yet identified. The assumption was made because all identified malicious extensions sent users data back to domains registered through the GalComm domain registrar.
“The campaign involved thousands of domains and hundreds of malicious Chrome extensions with all the activity tying back to single internet domain registrar: Gal Communication (CommuniGal) Ltd (GalComm),” the report says.
In turn, GalComm owner Moshe Fogel disputed Awake Security claims and said that a quarter of the domains listed weren’t registered through GalComm or have expired. Mr. Fogel also added that his company is now investigating the issue.