10 Percent of Chrome Extensions May Be Malicious

Chrome Browser. Credit: GoogleChrome Browser. Credit: Google

Up to 10 percent of Google Chrome browser extensions may be up to no good. Of 48,332 Chrome extensions, 130 were found to be seriously malicious, and another 4,712 labeled "suspicious," by six computer science experts at the University of California's Berkeley, Santa Barbara and San Diego campuses.

The researchers have also developed Hulk — not the gamma-irradiated superhero — which is a piece of software for detecting malicious behavior in Chrome browsers. They will present their findings tomorrow (Aug. 21) at the USENIX Security Symposium in San Diego.

MORE: Best PC Antivirus Software 2014

The malicious extensions detected in the study exhibited a wide range of behavior, including affiliate fraud (when buyers are tricked into paying false commissions on purchases), credential theft, malicious JavaScript injections and generation of spam on social networks.

Malicious Chrome extensions aren't limited to the bottom of the barrel; one has over 5.5 million installations, the researchers said. That's where Hulk comes into play.

Hulk works in two ways. First, it creates "HoneyPages," Web pages specially crafted to trick an extension into displaying its malicious behavior. A common technique among cybercriminals is to create malicious Web pages designed to exploit browser vulnerabilities and infect computers. Hulk's HoneyPages use a similar idea, but to protect a computer instead of compromise it.

Second, Hulk built a "fuzzer," an automated script that tests each Chrome extension by throwing more than 1 million different URLs at it to see if it exhibits any strange behavior. (Fuzzing software with random data is a tried-and-true reliability-testing technique.)

Coincidentally, security researchers at Malwarebytes identified a suspicious extension that pretends to be a legitimate Evernote Web extension for the Chrome, Torch and Comodo Dragon browsers, all of which are based on the open-source Chromium browser. The fake extension tricks browsers into thinking it's the real Evernote Web app, but it actually fills your browser with unwanted advertisements. 

The University of California researchers may not make Hulk available to the public, as it's more of a research tool than a prevention tool. However, their USENIX paper on the study outlines several changes Google could make to its Chrome browser in order to keep users safer from malicious plugins.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.