More than 100 malicious extensions in the official Chrome Web Store are targeting users to steal Google account data, deploy backdoors, and conduct ad fraud, according to researchers at security firm Socket.
The extensions, which operate under five different publisher identities, cover various categories including Telegram sidebars, YouTube enhancers, and utility tools. Researchers identified a shared command-and-control infrastructure used to coordinate the campaign.
Socket researchers found evidence suggesting the operation is a Russian malware-as-a-service (MaaS) campaign, noting specific code comments related to authentication and session theft. The campaign relies on a central backend hosted on a Contabo VPS to manage identity collection and monetization.
Data harvesting and session hijacking
The malicious software operates through several distinct methods. One cluster of 78 extensions injects attacker-controlled HTML directly into the user interface. Another group of 54 extensions uses the 'chrome.identity.getAuthToken' function to harvest user names, emails, and profile pictures.
These extensions also steal Google OAuth2 Bearer tokens. These short-lived tokens allow attackers to access user data or act on the user's behalf without further interaction.
A third group of 45 extensions functions as a backdoor. This software runs automatically upon browser startup to fetch commands from a remote server and open arbitrary URLs without user consent.
One particularly severe extension targets Telegram Web users by stealing sessions every 15 seconds. "The extension also handles an inbound message (set_session_changed) that performs the reverse operation: it clears the victim's localStorage, overwrites it with threat actor-supplied session data, and force-reloads Telegram," Socket reported.
This capability allows operators to swap a victim's browser into a different Telegram account without the user knowing. Other extensions in the campaign strip security headers to inject ads into YouTube and TikTok or proxy translation requests through malicious servers.
Socket has notified Google of the findings, but many of the malicious extensions remain active on the Chrome Web Store. Users should check their installed extensions against the IDs published by Socket and uninstall any matches immediately.
