Threat analysts at McAfee discovered that these browser extensions that masqueraded as Netflix viewers and others were designed to surreptitiously monitor the browsing activities of the users. The Chrome browser add-ons in question are as follows:
Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 downloads Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads
These extensions offered various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrowed several phrases from another popular extension called GoFullPage. Besides offering the intended functionality, the extensions also tracked the user’s browsing activity. According to McAfee, every website a user visited was sent to servers owned by the extension creator so that they could insert code into eCommerce websites being visited. This action then modified the cookies on the site so that the extension authors received affiliate payment for any items purchased. “The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors,” the McAfee researchers wrote in their blog post. How Did The Extensions Work? All 5 extensions perform similar behavior. The web app manifest (“manifest.json” file) sets the background page as bg.html, which loads B0.js (multifunctional script) that sends the browsing data to a domain the attackers control (“langhort[.]com”). The data is delivered via POST requests every time the user visits a new URL. The information includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL. Upon receiving the URL, langhort.com matches any entries on a list of websites that it has an affiliate ID for, and if it does, the server responds to B0.js with one of the two possible functions. The first function is, “Result[‘c’] – passf_url “, which will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the visited website. The second function, “Result[‘e’] setCookie”, orders B0.js to also modify a cookie or replace it with the provided one to perform certain actions if the extension has been granted with the associated permissions. McAfee has also published a video that showcases how the URL and cookie modifications occur in real-time:
To evade analysis and prevent malicious activity from being identified in automated analysis environments, some of the extensions featured a delay of 15 days from the time of their installation to avoid raising red flags before they could start sending out the browser activity. At the time of writing, all 5 malicious Chrome extensions have been removed from the Google Play Store. However, this does not delete them from the web browsers. Hence, users are recommended to manually uninstall them from their devices.