Malicious Chrome VPN Extensions Force-Installed 1.5 Million Times

In a recently discovered malware campaign, 3 Chrome or Edge extensions disguised as VPNs were installed 1.5 million times.

Discovered by researchers at ReasonLabs, the fake extensions were spread through an installer hidden in torrents posing as popular video games like Grand Theft Auto, Assassins Creed, and The Sims 4.

Upon discovery, the extensions were reported to Google, which immediately removed them from the Chrome Web store. Despite this, the extensions netSave and netWin together accounted for around 500,000 installs, while netPlus had been installed a million times.

The campaign appears to be targeting the Russian-speaking community as the extensions were found to be in Russian. ‘’Using data derived from ReasonLabs users, we were able to identify tens of thousands of users infected with the Trojan across Russia, Ukraine, Kazakhstan, Moldova, and more – countries with many Russian speakers,’’ the report revealed.

The ReasonLab team discovered over a thousand different torrent files delivering the malicious installers, measuring between 60MB and 100MB in size. The malicious VPN installers unpack automatically and forcefully install one of the three to the users’ browser, without requiring any user permission. It also checks the machine for the presence of any antivirus product.

The dubious extensions had a realistic VPN user interface with limited functionalities and a paid subscription to appear legitimate. Furthermore, its code analysis revealed that it not only disabled other cashback and coupon extensions on the browser, but it also deployed a cashback activity hack.

The code also revealed that the extension has access to “tabs,” “storage,” “proxy,” “webRequest,” “webRequestBlocking,” “declarativeNetRequest,” “scripting,” “alarms,” “cookies,” “activeTab,” “management,” and “offscreen.”

By granting itself the needed authorisation, the extensions can exploit the offscreen permission, which allows the malware to run scripts using the Offscreen API. It then stealthily interacts with the webpage DOM to steal user data and disable existing browser extensions.

The report reveals the growing threat caused by pirated and fake extensions. Thus, making it necessary for users to check reviews and download applications from official, verified sources.