A recent analysis of Chrome browser extensions performed by USENIX, The Advanced Computer Systems Association, has revealed a relatively high number of malicious and suspicious extensions, many of which have been downloaded by millions of users.
In a PDF document issued by USENIX detailing their findings, the researchers noted:
The amount of critical and private data that web browsers mediate continues to increase, and naturally this data has become a target for criminals. In addition, the web’s advertising ecosystem offers opportunities to profit by manipulating a user’s everyday browsing behavior. As a result, malicious browser extensions have become a new threat, as criminals realize the potential to monetize a victim’s web browsing session and readily access web-related content and private data.
USENIX utilized a dynamic analysis system of their own creation called Hulk (which flushes out an extensions’ malicious behavior) to analyze 48,332 Chrome extensions.
8220;First, Hulk leverages HoneyPages, which are dynamic pages that adapt to an extension’s expectations in web page structure and content,” USENIX explains. 8220;Second, Hulk employs a fuzzer to drive the numerous event handlers that modern extensions heavily rely upon.”
Of the 48,332 extensions analyzed, 130 were found to be outright malicious while a further 4712 were found to be “suspicious”. Among the 130 malicious extensions, USENIX identified behavior which included; ad manipulation, affiliate fraud, information theft, and social network abuse. Here is USENIX’s breakdown of both malicious and suspicious extensions by detection types:
*An extension might have more than one detection.
*[m] denotes malicious detections, [s] denotes suspicious detections.
The researchers also include a number of recommendations in the paper which, hopefully, Google will heed.
- The USENIX paper can be downloaded in full here: Hulk: Eliciting Malicious Behavior in Browser Extensions