Nearly 80 Chrome extensions caught spying
Almost daily get a new report of a leak or breach of data of various users which risk the privacy of users this time, More than 100 malicious and fake Google Chrome browser extensions have amassed around 33 million downloads in total, according to an investigation by security firm Awake. Security researchers discovered 111 malicious extensions that were downloaded by users of the Google Chrome browser and spread dangerous spyware.
Reuters reported that the extensions claimed to warn users of dangerous websites and change the format of files when they had malicious intentions. Some of the extensions never appeared in the Chrome Web Store, the full Awake report noted, but instead themselves installed the Chromium open-source version of Chrome so that they could run without Google's approval.
Awake said the extensions were able to take screenshots of the victims' devices, load malware and read clipboards, as well as harvest tokens and user input, among other malicious operations.
The firm also found that the attackers used the infrastructure of 15,160 malicious or suspicious domains and were able to bypass sandboxes, endpoint detection and response solutions and web proxies.
Cybercriminals bought the domain names from GalComm, an Israel-based domain registrar. GalComm's owner told Reuters that his company was not aware that it was being used as part of a malicious campaign. However, the Awake report said that nearly 60% of the GalComm-registered domains that Awake researchers could reach were "malicious or suspicious." It added that "GalComm is at best complicit in malicious activity."
The researchers aren’t sure who is behind the attack but told Reuters that the attackers used fake contact details when applying to have their extensions published on the Chrome Web Store.
Google Response and What You Should Do
After learning of the malicious extensions last month, Google removed 79 of them. A spokesman for the tech giant, Scott Westover, told Reuters: “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”
According to Jake Moore, a security specialist at ESET Illicit "extensions usually require permissions to grant further access to data on your machine which users must be vigilant of It's vital to check which permissions a browser extension requires especially when it’s free as some can be harmful" he said.
Remember, if you have a Chrome browser extension installed, but you don't need it at the moment, you can always go to chrome://extensions/ to disable it without removing it. (You can enable it when you need it.) Doing so will make Chrome run faster and free up memory on your computer.
The Malicious Chrome extensions
It's a rather long list, but here's the full list of the extension IDs of all 111 malicious Chrome (and Chromium) extensions that Awake discovered. Unfortunately, if you want to see if any of the extensions you've added to Chrome are on this list, you've got to do so manually.
Right-click or control-click the icon of a running extension in the upper right corner of the browser, and select "Manage extensions." A new tab will open describing the extension, and in the address bar of the tab, you'll see something that looks like
That long string of gibberish is a 32-character extension ID. Compare each of your extensions' IDs to the list below, and if anything matches, remove the extension.
- acmnokigkgihogfbeooklgemindnbine
- apgohnlmnmkblgfplgnlmkjcpocgfomp
- apjnadhmhgdobcdanndaphcpmnjbnfng
- bahkljhhdeciiaodlkppoonappfnheoi
- bannaglhmenocdjcmlkhkcciioaepfpj
- bgffinjklipdhacmidehoncomokcmjmh
- bifdhahddjbdbjmiekcnmeiffabcfjgh
- bjpknhldlbknoidifkjnnkpginjgkgnm
- blngdeeenccpfjbkolalandfmiinhkak
- ccdfhjebekpopcelcfkpgagbehppkadi
- cceejgojinihpakmciijfdgafhpchigo
- cebjhmljaodmgmcaecenghhikkjdfabo
- chbpnonhcgdbcpicacolalkgjlcjkbbd
- cifafogcmckphmnbeipgkpfbjphmajbc
- clopbiaijcfolfmjebjinippgmdkkppj
- cpgoblgcfemdmaolmfhpoifikehgbjbf
- dcmjopnlojhkngkmagminjbiahokmfig
- deiiiklocnibjflinkfmefpofgcfhdga
- dipecofobdcjnpffbkmfkdbfmjfjfgmn
- dopkmmcoegcjggfanajnindneifffpck
- dopmojabcdlfbnppmjeaajclohofnbol
- edcepmkpdojmciieeijebkodahjfliif
- ekbecnhekcpbfgdchfjcfmnocdfpcanj
- elflophcopcglipligoibfejllmndhmp
- eogfeijdemimhpfhlpjoifeckijeejkc
- fcobokliblbalmjmahdebcdalglnieii
- fgafnjobnempajahhgebbbpkpegcdlbf
- fgcomdacecoimaejookmlcfogngmfmli
- fgmeppijnhhafacemgoocgelcflipnfd
- fhanjgcjamaagccdkanegeefdpdkeban
- flfkimeelfnpapcgmobfgfifhackkend
- fmahbaepkpdimfcjpopjklankbbhdobk
- foebfmkeamadbhjcdglihfijdaohomlm
- fpngnlpmkfkhodklbljnncdcmkiopide
- gdifegeihkihjbkkgdijkcpkjekoicbl
- gfcmbgjehfhemioddkpcipehdfnjmief
- gfdefkjpjdbiiclhimebabkmclmiiegk
- ggijmaajgdkdijomfipnpdfijcnodpip
- ghgjhnkjohlnmngbniijbkidigifekaa
- gllihgnfnbpdmnppfjdlkciijkddfohn
- gmmohhcojdhgbjjahhpkfhbapgcfgfne
- gofhadkfcffpjdbonbladicjdbkpickk
- hapicipmkalhnklammmfdblkngahelln
- hijipblimhboccjcnnjnjelcdmceeafa
- hmamdkecijcegebmhndhcihjjkndbjgk
- hodfejbmfdhcgolcglcojkpfdjjdepji
- hpfijbjnmddglpmogpaeofdbehkpball
- ianfonfnhjeidghdegbkbbjgliiciiic
- ibfjiddieiljjjccjemgnoopkpmpniej
- inhdgbalcopmbpjfincjponejamhaeop
- iondldgmpaoekbgabgconiajpbkebkin
- ipagcbjbgailmjeaojmpiddflpbgjngl
- jagbooldjnemiedoagckjomjegkopfno
- jdheollkkpfglhohnpgkonecdealeebn
- jfefcmidfkpncdkjkkghhmjkafanhiam
- jfgkpeobcmjlocjpfgocelimhppdmigj
- jghiljaagglmcdeopnjkfhcikjnddhhc
- jgjakaebbliafihodjhpkpankimhckdf
- jiiinmeiedloeiabcgkdcbbpfelmbaff
- jkdngiblfdmfjhiahibnnhcjncehcgab
- jkofpdjclecgjcfomkaajhhmmhnninia
- kbdbmddhlgckaggdapibpihadohhelao
- keceijnpfmmlnebgnkhojinbkopolaom
- khhemdcdllgomlbleegjdpbeflgbomcj
- kjdcopljcgiekkmjhinmcpioncofoclg
- kjgaljeofmfgjfipajjeeflbknekghma
- labpefoeghdmpbfijhnnejdmnjccgplc
- lameokaalbmnhgapanlloeichlbjloak
- lbeekfefglldjjenkaekhnogoplpmfin
- lbhddhdfbcdcfbbbmimncbakkjobaedh
- ldoiiiffclpggehajofeffljablcodif
- lhjdepbplpkgmghgiphdjpnagpmhijbg
- ljddilebjpmmomoppeemckhpilhmoaok
- ljnfpiodfojmjfbiechgkbkhikfbknjc
- lnedcnepmplnjmfdiclhbfhneconamoj
- lnlkgfpceclfhomgocnnenmadlhanghf
- loigeafmbglngofpkkddgobapkkcaena
- lpajppfbbiafpmbeompbinpigbemekcg
- majekhlfhmeeplofdolkddbecmgjgplm
- mapafdeimlgplbahigmhneiibemhgcnc
- mcfeaailfhmpdphgnheboncfiikfkenn
- mgkjakldpclhkfadefnoncnjkiaffpkp
- mhinpnedhapjlbgnhcifjdkklbeefbpa
- mihiainclhehjnklijgpokdpldjmjdap
- mmkakbkmcnchdopphcbphjioggaanmim
- mopkkgobjofbkkgemcidkndbglkcfhjj
- mpifmhgignilkmeckejgamolchmgfdom
- nabmpeienmkmicpjckkgihobgleppbkc
- nahhmpbckpgdidfnmfkfgiflpjijilce
- ncepfbpjhkahgdemgmjmcgbgnfdinnhk
- npaklgbiblcbpokaiddpmmbknncnbljb
- npdfkclmbnoklkdebjfodpendkepbjek
- nplenkhhmalidgamfdejkblbaihndkcm
- oalfdomffplbcimjikgaklfamodahpmi
- odnakbaioopckimfnkllgijmkikhfhhf
- oklejhdbgggnfaggiidiaokelehcfjdp
- omgeapkgiddakeoklcapboapbamdgmhp
- oonbcpdabjcggcklopgbdagbfnkhbgbe
- opahibnipmkjincplepgjiiinbfmppmh
- pamchlfnkebmjbfbknoclehcpfclbhpl
- pcfapghfanllmbdfiipeiihpkojekckk
- pchfjdkempbhcjdifpfphmgdmnmadgce
- pdpcpceofkopegffcdnffeenbfdldock
- pgahbiaijngfmbbijfgmchcnkipajgha
- pidohlmjfgjbafgfleommlolmbjdcpal
- pilplloabdedfmialnfchjomjmpjcoej
- pklmnoldkkoholegljdkibjjhmegpjep
- pknkncdfjlncijifekldbjmeaiakdbof
- plmgefkiicjfchonlmnbabfebpnpckkk
- pnciakodcdnehobpfcjcnnlcpmjlpkac
- ponodoigcmkglddlljanchegmkgkhmgb