Google confirmed it has removed more than 70 malicious add-ons from its official Chrome Web Store. These popular extensions for Chrome web-browser were actively used to monitor web activity and siphon off user data whenever users used the web browser. The newly discovered spyware effort attacked users through 32 million downloads of extensions. As a single user usually runs a single installation of Google Chrome, it can be interpreted as 32 million active users of the browser are affected.

In what is claimed to be the largest espionage campaign, millions of unsuspecting Google Chrome web browser users downloaded and used tainted extensions and add-ons. It is concerning to note that it wasn’t Google that initiated the action against the 70+ extensions. Only after security researchers at Awake Security discovered the massive espionage campaign, did Google remove the extensions from the official Chrome Web Store. Google’s official statement through the company spokesman Scott Westover about the matter reads, “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”

— Roman (@rvps2001) June 18, 2020 While all of the extensions were free to download and use, the majority of the add-ons promised to warn users about questionable websites or convert files from one format to another. It is not immediately clear if the extensions performed the primary functions, however, these tainted add-ons siphoned off browsing history and data that provided credentials for access to internal business tools. The extensions were specially designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains. After installation, if someone used the Google Chrome browser to surf the web on a home computer, it would connect to a series of websites and transmit information.

— Drainware (@drainware) February 23, 2019 It is important to note that it was primarily home computers and their users who were affected. Anyone using a corporate network would not transmit sensitive information or even reach the malicious versions of the websites. This is because computers used in corporate settings usually have much tighter control over the installation of extensions. Moreover, there are several layers of security that prevent the add-ons from even establishing contact with their malicious servers.

Google Chrome Browser Subjected To State-Sponsored Espionage Campaign?

Awake co-founder and chief scientist Gary Golomb insists that based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date. The security company has released its research, including the list of domains and extensions, which can be accessed here. In all, there are over 15,000 domains that are interlinked, were reportedly purchased from a small registrar in Israel, Galcomm, known formally as CommuniGal Communication Ltd. According to news publications that established contact with the company, Galcomm claims it hasn’t done anything wrong.

— Catalin Cimpanu (@campuscodi) December 7, 2018 Deceptive extensions and add-ons for web-browsers have been a problem for quite some time. In the initial days, these extensions merely served advertisements. However, they are now growing in sophistication and the number of malicious activities as well. Modern-day extensions are more likely to install additional malicious programs or track where users are and what they are doing for government or commercial spies. While 32 million downloads of 70 extensions might seem large, Google regularly conducts anti-spyware activities. In February this year, the company joined an ongoing investigation and found 500 fraudulent extensions that stole data from about 1.7 million users.