Google Chrome has been used to transmit spyware, as 32 million downloads of extensions to the browser carried malicious add-ons according to researchers at Awake Security.
The researchers alerted Google, who removed over 70 pieces of software from its official Chrome Web Store.
Most of the free extensions purported to warn users about questionable websites or convert files from one format to another.
Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.
It is the widest-reaching Chrome store campaign to date, according to Awake Security’s chief scientist Gary Colomb.
It is unclear who is responsible for this campaign, however, as developers supplied fake contact information when they submitted the extensions to Google.
The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains.
“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesperson Scott Westover said.
Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.
All the domains used were purchased from a registrat in Israel, Galcomm, also known as CommuniGal Communication.
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”
Fogal also claimed that there were no records of inquiries from Awake Security, and asked for a list of suspected domains. Upon being provided with a list, Fogel did not provide further clarification.
Awake Security says the company should have been aware of the actions being undertaken.
The Internet Corp for Assigned Names and Numbers, which oversees registrars, said it had received few complaints about Galcomm over the years, and none about malware.
Additional reporting by Reuters
