Google Chrome: Beware these malicious extensions that record everything you do

Google has removed 89 malicious extensions from the Chrome Web Store that have been installed on over 420,000 browsers, turning them into Monero-mining slaves and loading a tool to record and replay what their owners do on every website they visit.

Researchers at Trend Micro dubbed the family of malicious extensions Droidclub and discovered they included a software library with so-called "session-replay scripts" used by online analytics firms.

Princeton's Center for Information Technology in November drew attention to the increasing use of session-replay scripts by third-party analytics firms on high-traffic websites.

The study looked at replay services from Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam, which were found on nearly 500 popular sites.

The scripts allow a site owner to essentially shoulder-surf their visitors by recording and replaying your "keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit".

But instead of allowing a site owner to record and play back what users do on one site, Droidclub extensions allow the attacker to see what victims do on every single site they visit.


"These scripts are injected into every website the user visits. These libraries are meant to be used to replay a user's visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things," said Trend Micro fraud analyst Joseph Chen.

"Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild."

The 98 malicious extensions are an odd collection of home cooking and home decoration themed tools, which victims most likely didn't go to the Chrome Web Store and search for.

Rather, the attackers used a blend of malicious ads and social engineering to trick victims into installing the extensions. A malicious ad posing as an error message prompted the victim to install an extension from the Chrome Web Store to view blocked content.

Chen says the extensions employ a session-replay script available in a JavaScript library from Yandex Metrica.

The extension, combined with the library, allows the attacker to steal data entered into forms, including names, credit card numbers, CVV numbers, email addresses, and phone numbers. Passwords are not stolen, according to Chen.

Google said in a statement to Trend Micro that it had disabled the extensions on devices of all affected Chrome users.

And although Google encourages users to report malicious extensions, Droidclub extensions have been designed to thwart that process too.

If users try to report an extension via the Chrome Web Store, they end up being redirected to the introduction page of the affected extension. Attempts to remove the extension also lead the user to a fake page that tells them the extension has been removed when it has not.

Last month Google also removed four malicious extensions from the Chrome Web Store that had been installed by 500,000 Chrome users.