in

In Chrome and Edge there are extensions with thousands of positive valuations. Many are part of malicious campaigns

Many times we install extensions without thinking too much. They serve something concrete, they occupy little and are there when we need them. Some even have thousands of opinions, good assessment and years of presence in the store.

Now we know that An investigation has uncovered that several of them hid a surveillance system capable of following our steps through the network. They were not obvious scams: they were useful, well -made tools and, above all, silent.

The extension that uncovered the problem. “Picker color, Eyedropper – Geco Colorpick” was one of many useful extensions. Allowed to select colors from anywhere on the screen and worked well. More than 100,000 users had it installed, with positive valuations and verification seal included. In the eyes of anyone, there was no reason to distrust.

According to Koi Security researchersfor a long time it was completely legitimate. Until it was not. In one of its updates, without warnings or visible changes for the user, the extension began to register pages visited and send that information to a remote server. It also maintained an active connection with a control infrastructure.

It was just the beginning. When deepening in the case, the researchers detected common patterns in their code and behavior. What they found was a broader and more coordinated network that they baptized as ‘reddirection’.

According to the report, at least 18 different extensions were part of this operation. All were available in Chrome and Edge stores, and together they accumulated more than 2.3 million facilities. Some were passed through productivity tools, others for entertainment profits. There were emojis keyboards, speed controllers for videos, time extensions, dark or supposed VPN issues to unlock services such as Tiktok or Discord. All with something in common: they offered a legitimate function … while spying in the background.

What they did was not to install classic malware. These extensions implemented a browser kidnapping system that was activated every time the user opened a new tab or sailed to another page. The malicious code was hidden in the extent substance service and did not interfere with its main functionality.

Malicious extension
Malicious extension

The mechanism worked like this: every time a website was loaded, the URL was sent to a remote server next to a unique user identifier. From there, the attackers could order an automatic redirection towards a false page or simply register the activity. Everything happened in the background, without alerts, without emerging windows, without visible failures.

Extensions were not malicious from day. And that is what makes this campaign especially dangerous. According to the researchers, many of them spent months – or even more – offering their functionality without any suspicious behavior. Everything changed in an update.

The technical team maintains that the malicious code was introduced into subsequent versions, when the extensions already had the confidence of thousands of users. And as browsers update automatically, the change was applied without anyone noticing. No one click was needed. Nor Social Engineering. Neither phishing.

And the mechanisms designed to protect the user? Several of the malicious extensions were verified or appeared as highlighted on the Chrome and Edge platforms. Others accumulated positive reviews and a solid user base. All that contributed to the unnoticed when they changed their behavior.

These are the extensions directly linked to the Reddirection campaign, according to the analysis carried out by Koi Security researchers. All of them offered apparently legitimate functions, but were identified as part of the same browser kidnapping scheme:

  • PICKER COLOR, EYEDROPPER – GECO COLORPICK
  • Emoji Keyboard Online – Copy & Paste Your Emoji
  • Free Weather Forecast
  • Weather
  • Speed ​​Controller Video – Video Manager
  • UNLOCK Discord – VPN Proxy to Unblock Discord Anywhere
  • UNBLOCK TIKTOK-Seamless Access With One-Click Proxy
  • Unlock YouTube VPN
  • Dark Theme – Dark Reader for Chrome
  • Volume Max – Ultimate Sound Booster
  • Volume Booster – Increase Your Sound
  • Web Sound Equalizer
  • Flash Player – Games Emulator
  • Header Value
  • Unlock Tiktok
  • Volume Booster
  • Web Sound Equalizer
  • Flash Player

According to Bleeping Computersome of these extensions have already been removed from Chrome and Edge stores, but others are still available for discharge. Both Google and Microsoft have been notified by the Koi Security team, but for now they have not taken general measures on the complete set of extensions detected in the campaign.

Images | Koi Security | Screen capture

In Xataka | There is something that we are not doing enough and we should for our own security: eliminate old accounts

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

His sediments unprotected us in front of the next drought

Now reinforces your safety while GPT -5 appears on the horizon, according to ft