Experts spotted browser malicious extensions for Instagram, Facebook and others

Avast researchers reported that three million users installed 28 malicious Chrome or Edge extensions that could perform several malicious operations.

Avast Threat Intelligence researchers spotted malicious Chrome and Edge browser extensions that were installed by over 3 million users.

The extensions were designed to steal user’s data (i.e. birth dates, email addresses, and active devices) and redirect the victims to ads and phishing sites.

Many of these applications are still available on the Chrome Web Store and the Microsoft Edge Add-ons portal. 

“The extensions which aid users in downloading videos from these platforms include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, and other browser extensions on the Google Chrome Browser, and some on Microsoft Edge Browser.” reads the analysis published by Avast. “The researchers have identified malicious code in the Javascript-based extensions that allows the extensions to download further malware onto a user’s PC. “

The tainted extensions pose as helper add-ons for Vimeo, Instagram, Facebook, and other popular online services.

Experts pointed out that the malware is quite difficult to detect since its ability to “hide itself,” it is able to detect if the user is googling one of its domains or if the user is a web developer and in these cases, it won’t perform any malicious activities on the victim’s browser. It is interesting to note that the malware avoids infecting web developers because they could unmask the malicious code in the extensions.

The malicious extensions are part of a campaign aimed at hijacking user traffic for financial motivation.

“Avast researchers believe the objective behind this is to monetize the traffic itself. For every redirection to a third party domain, the cybercriminals would receive a payment.” Avast said.

The extensions were discovered in November, but experts highlighted that some of them had been active since at least December 2018 and had tens of thousands of installs. To evade detection the malicious extensions only start to exhibit malicious behavior days after installation

Avast shared its findings with both Google and Microsoft that are scrutinizing the extensions.

Below the full list of tainted extensions:

Direct Message for InstagramDirect Message for InstagramDM for InstagramInvisible mode for Instagram Direct MessageDownloader for InstagramInstagram Download Video & ImageApp Phone for InstagramApp Phone for InstagramStories for InstagramUniversal Video DownloaderUniversal Video DownloaderVideo Downloader for FaceBookVideo Downloader for FaceBookVimeo Video DownloaderVimeo Video DownloaderVolume ControllerZoomer for Instagram and FaceBookVK UnBlock. Works fast.Odnoklassniki UnBlock. Works quickly.Upload photo to InstagramSpotify Music DownloaderStories for InstagramUpload photo to InstagramPretty Kitty, The Cat PetVideo Downloader for YouTubeSoundCloud Music DownloaderThe New York Times NewsInstagram App with Direct Message DMIf you have installed one of the above extensions uninstall and remove it from your browsers.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, malicious extensions)

The post Experts spotted browser malicious extensions for Instagram, Facebook and others appeared first on Security Affairs.