Making web browser extensions available is really like opening a can of worms. Given the nature of the Web, the actors that play in its dark corners, and the growing power of web browsers, it’s almost too easy for these plugins to take advantage of all that to harm users. Browser makers have been working hard to fight against such abuses but some still get through the cracks. One threat, in particular, was reportedly in operation for almost three years and has been found in widely-used extensions on Google Chrome and Microsoft Edge that, in total, accumulated more than 3 million installations.
It’s really no surprise that there are dozens of malware-laden extensions out there, even those that get past Google’s automated Web Store checks. It’s also no surprise that majority of these extensions are tools designed to download media from social networks or get past site blocks. Surprisingly, some of these actually do provide the features they advertise.
What makes the network of malicious extensions nicknamed CacheFlow a bit interesting is the set of techniques they use to evade detection, like playing a game of cat and mouse with security software and users. For example, they delay activating their true purpose a few days after installation to avoid raising red flags immediately. These extensions amusingly also deactivate their malware when they detect that the user is a web developer or has enabled developer tools that would alert users to their activities.
Security outfit Avast also notes that CacheFlow seems to be serving two purposes using a single strategy. It masquerades its network traffic as legitimate analytics requests to send user data to a remote command and control server. At the same time, however, it also uses those analytics requests themselves for whatever purpose they might have.
Avast says that it has reported these extensions and their findings to Google and Microsoft and all the offending plugins have already been removed last December. That said, it won’t be a surprise either if similar or newer variants of CacheFlow appear in the future to take advantage of this scheme again.