Malicious extensions for the Chrome browser continue to spring up just as quickly as the search giant cuts them down. This month, another batch appeared.
Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after security researcher Harry Denley found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more.
Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store.
Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive, according to Denley, who said:
Yeah, they have been, for the majority. Actioned my reports within 24 hours.
New rules
Google has acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store. It said:
We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.
The rules forbid developers from publishing multiple extensions that do the same thing, and prohibits misleading metadata, including anonymous user testimonials in app descriptions. Developers can’t upload extensions that exist solely to launch another app or extension, and they shouldn’t send spam notifications, the company added.
It said that developers must comply with the policy after 27 August 2020. After that point, apps violating the rules “may be taken down and disabled”.
The problem, according to Dan Finlay, the lead developer at crypto wallet company MetaMask, is that Google allows phishing ads that point to fake extensions. Initially talking about shortcomings in the company’s manual extension review process, he said:
MEANWHILE, Google _keeps on approving phishers_. The quantity of impostor MetaMasks on the Chrome store has been growing, and apparently they all pass the manual security review. FURTHERMORE they are all allowed to buy premium Google ad space at the top of search results.
— Dan Finlay (@danfinlay) May 5, 2020
Finlay said that he reported the problem, sending trademark notices and bug reports, but that Google didn’t reply. What he’d really like to see is the ability to block other extensions or ads from using MetaMask’s name.
Denley agreed. He told us:
The official MetaMask extension has over 1,000,000 users – you’d assume Google would have some sort of plan to tackle any potential fake extensions with the Metamask branding.
Weirdly, while Google has been quick to take down most fake cryptocurrency wallet extensions, at the time of writing (7am BST) one of the fake MetaMask extensions was still up. Its listing reports 380 users.
The best advice:
- Install as few extensions as possible and, despite the above, only from official web stores.
- Check the reviews and feedback from others who’ve installed the extension.
- Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
- Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.