Nearly 3 million people are infected with malware from third-party browser extensions

By Satsuki Then/Dec. 17, 2020 6:23 am EST

Threat researchers from Avast, a company known for digital security and privacy products, have discovered a massive amount of malware infections for people around the world. The researchers say that around 3 million people globally are infected with malware via third-party browser extensions for Instagram, Facebook, Vimeo, and others. Avast researchers say that malware is hidden in at least 28 third-party Google Chrome and Microsoft Edge extensions associated with some of the most popular platforms on the Internet.

Research showed the malware could redirect user traffic to ads or phishing sites. Malware is also able to steal personal data like birthdays, email addresses, and active devices. The extensions claim to aid users in downloading videos from sources and include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, and other extensions for Chrome and Edge.

Malicious code was discovered in the JavaScript-based extensions allowing them to download more malware onto a user's computer. Users infected with these malicious extensions also report the extensions can redirect them to other websites. When users click a link, the extension sends information about what users are clicking to the attacker's control server. That server can send a command to redirect the victim from the real link to a hijacked URL before redirecting them to the website they wanted to visit.

That allows the hackers to log all clicks being sent to the third party intermediary websites. The threat actors are also able to collect data, including sign-in time, login time, the name of the device, operating system, browser, and IP addresses, along with personal data. Avast researchers believe hackers operating the malicious extensions want to monetize the traffic. Every time connections are redirected to a third-party domain, the criminals get paid.

Researchers warn the malware can hide itself to avoid detection and removal. Avast says as of writing, the extensions are still available for download, but the Microsoft and Google Chrome teams have been contacted. A full list of the malicious extensions can be seen here.