A long running malware operation that has evolved over several years has been turning browser extensions in Chrome and Edge into spyware through updates that added malicious functionalities. According to a report from Koi Security, the ShadyPanda campaign affects 4.3 million users who downloaded these now compromised browser extensions.
The ShadyPanda campaign consists of 20 malicious extensions on the Chrome Web Store and 125 in Edge; initial submissions of the extensions appeared in 2018, and the first signs of malicious behavior didn’t show up until five years later when a set of them posing as wallpaper and productivity tools began to show signs that something was amiss.
“Chrome and Edge’s trusted update pipeline silently delivered malware to users. No phishing. No social engineering. Just trusted extensions with quiet version bumps that turn productivity tools into surveillance platforms.”
From fraud to full browser access
The extensions begin their malicious activity by injecting tracking codes into legitimate links, which allowed them to earn revenue off of users' purchases. Search hijacking, where search queries are redirected, was also one of the behaviors the researchers saw. Search queries were logged, monetized, sold, manipulated and exfiltrated.
ShadyPanda can collect a range of personal information from users including browsing history, search queries, keystrokes, cookies, local and session storage, fingerprint data, and mouse clicks with coordinates. The extensions that had gained a “good” reputation were modified throughout the years to include a backdoor update that permitted an hourly remote code execution; downloading and executing arbitrary JavaScript with full browser access. This means they were capable of monitoring every website a user visited and exfiltrating browsing URLs, fingerprinting information and persistent identifiers.
Most concerningly, the extensions were able to stage adversary in the middle (AitM) attacks which means they were capable of facilitating credential theft, session hijacking and injecting code into any website. Additionally, any attempt to access the browser’s developer tools will cause it to switch to benign behavior.
While Google has since removed the extensions from the web store, Koi Security noticed the active campaign in the Microsoft Edge Add-ons platform with one extension listed as having 3 million installs. There is no way of telling if those are inflated numbers, intended to create a sense of legitimacy though.
How to stay safe from malicious browser extensions
Most of these extensions are wallpaper or productivity apps and if you've downloaded any of them, you should remove them immediately. While Koi Security lists all the extensions at the end of their report, three of the most frequently mentioned ones are Clean Master, WeTab and Infinity V+.
After removing the extensions, you should reset your account passwords – the recommendation is for all accounts across your entire online presence. Since this could be quite a serious undertaking, you may want to use one of the best password managers to make things easier. Not only can a password manager help keep your passwords organized and safe but they can also automatically create strong and unique passwords for each of your online accounts.
As always, I recommend using the best antivirus software on your computer as well. While an antivirus may not have caught these malicious extensions due to how this campaign operated, they can scan for malware, spyware and viruses even when you slip up and download something that shouldn't be on your machine. Antivirus programs also have browser extensions that can help advise you against visiting suspicious websites, help protect your data with cloud backups and can provide you with a VPN and other extras to add an extra layer of security to protect you when you're online.
Given how successful and long-running this campaign was, I doubt this is the last we've heard of ShadyPanda. However, by limiting the number of extensions you have installed and carefully vetting each one before you add it to your browser, you can keep your data and your devices safe.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
- You can control what your kids see in ChatGPT — here's how to enable it
- New Android banking trojan is draining accounts and snooping on encrypted chats — how to stay safe
- Scammers are now using your data to craft personalized attacks — here's how you can fight back
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
