A security researcher has uncovered harmful Chrome extensions designed to disguise themselves as trusted applications like password managers, crypto wallets, or banking apps. These extensions manipulate their appearance and functionality to deceive users and steal sensitive information.
How the Attack Unfolds
According to Bleeping Computer, security experts at SquareX Labs identified the attack and have already informed Google. The process starts with the release of an innocuous-looking extension in the Chrome Web Store. These extensions often offer helpful functionalities to attract installations, such as AI-powered marketing tools that appear to deliver exactly what they promise.
Once installed, the malicious extension uses the “chrome.management” API to identify other installed extensions. If the necessary permissions are unavailable, the malware resorts to alternative methods, such as injecting scripts into visited websites. These scripts search for specific files or URLs to detect the presence of targeted extensions.
Stolen Data Through Fake Login Pages
After gathering the required data, the information is transmitted to the attackers’ server. If a specific extension is targeted, the malicious extension activates and transforms into a replica of the legitimate application. This was demonstrated by SquareX Labs using the password manager extension, 1Password.
The malicious extension can disable the real 1Password or hide its interface. At the same time, it changes its name and icon to impersonate the original. Users are then met with a fake “session expired” message, prompting them to log in again. However, the login form is fraudulent, and any entered credentials are sent to the attackers. Once the data is stolen, the fake extension reverts to its harmless state, reactivating the real 1Password extension to avoid detection.
What Can Be Done?
SquareX Labs has recommended that Google implement safeguards in Chrome to prevent extensions from suddenly changing their icons and HTML elements or at least notify users of such changes. Currently, no official measures have been introduced by Google.
The researchers also criticized Google’s classification of the “chrome.management” API as a “medium risk,” despite its accessibility by widely used extensions like ad blockers and password managers. Until further protective mechanisms are in place, users should exercise caution when installing new extensions and stay vigilant for any suspicious activity in their browser.
