Hackers are stealing Gmail messages — delete this extension right now

Image of Gmail's logo on a laptop
(Image credit: Monticello/Shutterstock)

Gmail accounts are under attack from a malicious browser extension spread via phishing emails that targets Google Chrome, Microsoft Edge and other Chromium-based browsers.

Once installed in your browser, this malicious extension is able to steal the contents of your Gmail messages and even infect the best Android phones with malware but more on that later.

As reported by BleepingComputer, the campaign itself was spotted by the German Federal Office for the Protection of the Constitution and South Korea’s National Intelligence Service which both issued a joint statement warning others about it.

The cybercriminals behind the campaign hail from North Korea and the Kimsuky (aka Thallium, Velvet Chollima) threat group has a history of using spear phishing for cyber-espionage in attacks targeting diplomats, journalists, government agencies, politicians and university professors. However, while the campaign started in South Korea, it has now expanded to both the U.S. and Europe.

Even if you don’t have a high-profile job, you could end up accidentally installing this malicious extension and having your Gmail account compromised which is why we all need to remain vigilant online.

Spread via phishing emails

Fish hook on a keyboard

(Image credit: Shutterstock)

The attack starts with a phishing email urging potential victims to install a Chrome extension, though it could also be installed in Microsoft Edge, Brave and other Chromium-based browsers if a user takes the bait.

The extension is named ‘AF’ and unlike normal extensions, it can’t be found in Chrome’s More tools section under extensions. Instead, you need to manually type “chrome(or edge/brave)://extensions” into your browser’s address bar to find it.

Once installed though, it automatically activates and begins intercepting/stealing the contents of emails from your Gmail account. This is done by abusing the Devtools API in your browser and using it to send all of this stolen data back to a server controlled by the hackers.

First your Gmail, then your smartphone

smartphone malware

(Image credit: Shutterstock)

If having your Gmail messages read by hackers wasn’t bad enough, the Kimsuky hacker group also has its own Android malware known as FastViewer, Fastfire or Fastspy DEX.

Once your Gmail account is in the hands of these hackers, they then use Google Play’s web-to-phone synchronisation feature for installing apps from your computer onto your smartphone to infect victims’ phones with the malware.

The FastViewer malware is a remote access trojan (RAT) that allows the hackers to drop, create, delete or steal files as well as retrieve your contacts, make calls, send text messages, turn on your camera, log your keystrokes and more. Suffice it to say, this malware is incredibly dangerous and could be used for blackmail or even to steal your identity.

How to stay safe from malicious extensions

With this malicious extension in particular, it’s a good idea to enter either “chrome:extensions”, “edge:extensions” or “brave:extensions” depending on your browser to see if you have it installed. If you do, you should delete it immediately and consider using the best antivirus software to run a scan of your system just to be safe.

Likewise, you also should install one of the best Android antivirus apps and enable Google Play Protect on your smartphone to protect yourself from the FastViewer malware. Even if you haven’t, an Android antivirus app is certainly worth having on your smartphone now that mobile malware has become so prevalent.

As for avoiding malicious extensions in the first place, don’t ever install any extension or other software sent to you in an email. You also want to avoid opening emails from unknown senders as well as downloading any attachments they may contain.

The Kimsuky hacker group has a long history of launching a variety of attacks on unsuspecting users which means we’ll likely see their work again.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
and image of the Google Chrome logo on a laptop
Over 600,000 Chrome users at risk after 16 browser extensions compromised by hackers — what you need to know
and image of the Google Chrome logo on a laptop
Popular Chrome extensions hijacked by hackers in widespread cyberattack — 3.2 million at risk
and image of the Google Chrome logo on a laptop
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Latest in Online Security
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A woman using her laptop securely with a cup of coffee in hand
5 common mistakes people make when shopping for antivirus software
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 18 (#646)
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
The Find my People feature
Android Find My can now track your friends and family — here's how to use it
Foldable iPhone concept image
Are you sitting down? Here’s what the foldable iPhone could cost
Samsung HW-Q990D soundbar
Samsung’s flagship 2024 soundbar just got bricked by a new firmware update — don’t update
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users