- Koi security researchers found nearly two dozen additional browser modules by spying users
- Additional modules followed the sites visited and communicated with a distant C2 infrastructure
- Users were probably compromised along the way
Many complementary browser modules from Google Chrome and Microsoft Edge, including several prominent products, have proven to spy on users and communicate with a third -party server, in what seems to be a supply chain attack with millions of victims.
Koi Security security researchers recently envisaged an apparently benign chromed additional module called “color picker, pipions – geco colorpick” which allows users to quickly identify and copy the color codes at any point of their browser.
While working as announced and having thousands of downloads and positive criticisms, the complementary module also did something in the background – it diverted the activity of the browser, followed the websites that users were targeting and communicated with a remote C2 infrastructure. This prompted researchers to investigate more, leading to the discovery of an entire network of additional modules, all similar things.
How to stay safe
They appointed the Reddirection and count campaign operation 18 additional modules, cumulatively compromising 2.3 million users through Chrome and Edge.
The complete list of complementary modules can be found here – it includes VPNs, site “release”, additional weather forecast modules, Emoji additional modules, etc.
The researchers also determined that these complementary modules were not malicious from the start. These were simple and clean products which were most likely diverted somewhere along the line. Many have hundreds of positive criticisms, and some have been presented in prominent places on the Chrome online store.
Most have been removed from the play store, but according to Bleeping Compompute“Many of them continue to be available”. Although it has not been clearly specified, it is sure to assume that they are available in third -party stores and autonomous websites.
If you run one of the additional modules from the list, you must delete them immediately, erase navigation data and run a complete system analysis using an updated antivirus solution.
It would also be wise to replace all passwords stored in the browser, as well as other sensitive data to be completed automatically. Data violations are becoming more and more common, with almost a third of companies experiencing a violation despite an increase in cybersecurity investments. Can you see if your information is affected using the Hasibeenpwned Popular Violation Verification website?
In addition to the identity theft protection software, users can secure themselves by being ultra careful with any unexpected communication, carefully checking the emails and SMS they receive and never clicking on unreliable links.
Via Bleeping Compompute
