A massive undercover surveillance network was recently outed by the cybersecurity firm Awake Security. It’s serious enough that you should once again triple-check that you aren’t using shady extensions in your Chrome browser.
Awake Security found that over 60 percent of the web domains owned by the company GalComm are hosting malware and spying tools being used by at least 111 Chrome extensions that have been downloaded more than 32 million times—and that’s only counting those that were listed in the Chrome Web Store. Through these browser extensions, GalComm accessed millions of personal and corporate networks to collect massive amounts of data, and used sophisticated circumvention methods to avoid detection, despite the large scale of the operation.
The full list of all 111 malicious extensions can be found here. The list is a bit of a mess and it contains plenty of duplicates (all with different extension IDs), so we took some time to clean it up. Here are the extensions you’ll want to look for in your Chrome installation (accessible by navigating to Window > Extensions) and delete immediately if you find them:
The extensions that made it onto Google’s store have been removed and many should be deactivated already, but you’ll need to uninstall any you side-loaded from non-Google sources.
This is one of the larger malware campaigns uncovered in a while. Using malicious browser extensions to spy on people isn’t anything new, but it’s becoming more common. The fact that so many extensions were implicated—and that most of them were available on Google’s Chrome Store—is alarming, but there are ways to keep yourself safe.
The safest practice you can employ when browsing the Chrome Web Store is to stick to well-known extensions made by verified publishers. Yes, that might limit you from downloading a super-cool-sounding extension that does that one thing you really, really were looking for, but it’ll also keep your data a lot safer.
Obviously, how much safety you’re willing to trade for comfort is your deal—and we recommend lesser-known extensions on occasion, too—but it’s one thing to trust a decent-sounding, solo developer with a good track record, and another thing entirely to download the first extension you see because it sounds interesting without paying attention to any other details about who created it (and what they want from you).
The Chrome Extension store has a “By Google” search filter, useful for sticking to only first-party extensions, and Mozilla has a list of recommended Firefox add-ons that you can always trust if you don’t want to venture out into scarier waters.
If you do, it’s still best to confine your installations to extensions hosted on your browser’s official store. Companies like Google do their best to vet the add-ons they allow onto their digital marketplaces—but as Awake’s report shows us, it’s easy for shady developers to work around privacy policies and security features.
Still, there’s a higher likelihood an extension is legit if it is on your browser’s official add-on store, rather than if you’re downloading it from some random web page or pop-up ad—just make sure you’re downloading what you think you’re downloading: Check that the extension’s name, description and details all match up, and look to see if the extension’s reviews sound more planted than authentic. When in doubt, don’t install it—or go searching around for a more well-known alternative.
Like phone apps, you should be skeptical of any extensions that ask for permissions beyond their advertised use. Similarly, extensions that perform a redundant or unnecessary task should be avoided at all costs.
Pretty much every extension listed in Awake Security’s report asked for at least one sketchy or over-reaching permission. For example, many wanted to “take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords).”
When you first add an extension to your browser, a notification will pop up listing what it is able to do. If you don’t feel comfortable with what it’s asking, click “Cancel” to stop the installation. And if you ever suspect an extension you’’re using of malicious activity, report it immediately.
While our general recommendation is to stick with well-known, verified extensions, that doesn’t mean smaller third-party add-ons or unofficial download locations are inherently dangerous. However, they do need to be approached with extra caution. Many perfectly safe extensions are available from independent developers on places like the XDA forums or GitHub.
While you can’t take an extension’s presence on those platforms as an assurance they’re safe, these open-source projects often have transparent code and privacy policies that make them easier to vet. And if you have no idea what you’re looking for, do your research: Read some forums. Look at Twitter. Hit up Reddit. See if anyone else has raised any red flags about the extension you want to install before you install it.