Hackers are stealing Gmail messages — delete this extension right now

Image of Gmail's logo on a laptop
(Image credit: Monticello/Shutterstock)

Gmail accounts are under attack from a malicious browser extension spread via phishing emails that targets Google Chrome, Microsoft Edge and other Chromium-based browsers.

Once installed in your browser, this malicious extension is able to steal the contents of your Gmail messages and even infect the best Android phones with malware but more on that later.

As reported by BleepingComputer, the campaign itself was spotted by the German Federal Office for the Protection of the Constitution and South Korea’s National Intelligence Service which both issued a joint statement warning others about it.

The cybercriminals behind the campaign hail from North Korea and the Kimsuky (aka Thallium, Velvet Chollima) threat group has a history of using spear phishing for cyber-espionage in attacks targeting diplomats, journalists, government agencies, politicians and university professors. However, while the campaign started in South Korea, it has now expanded to both the U.S. and Europe.

Even if you don’t have a high-profile job, you could end up accidentally installing this malicious extension and having your Gmail account compromised which is why we all need to remain vigilant online.

Spread via phishing emails

Fish hook on a keyboard

(Image credit: Shutterstock)

The attack starts with a phishing email urging potential victims to install a Chrome extension, though it could also be installed in Microsoft Edge, Brave and other Chromium-based browsers if a user takes the bait.

The extension is named ‘AF’ and unlike normal extensions, it can’t be found in Chrome’s More tools section under extensions. Instead, you need to manually type “chrome(or edge/brave)://extensions” into your browser’s address bar to find it.

Once installed though, it automatically activates and begins intercepting/stealing the contents of emails from your Gmail account. This is done by abusing the Devtools API in your browser and using it to send all of this stolen data back to a server controlled by the hackers.

First your Gmail, then your smartphone

smartphone malware

(Image credit: Shutterstock)

If having your Gmail messages read by hackers wasn’t bad enough, the Kimsuky hacker group also has its own Android malware known as FastViewer, Fastfire or Fastspy DEX.

Once your Gmail account is in the hands of these hackers, they then use Google Play’s web-to-phone synchronisation feature for installing apps from your computer onto your smartphone to infect victims’ phones with the malware.

The FastViewer malware is a remote access trojan (RAT) that allows the hackers to drop, create, delete or steal files as well as retrieve your contacts, make calls, send text messages, turn on your camera, log your keystrokes and more. Suffice it to say, this malware is incredibly dangerous and could be used for blackmail or even to steal your identity.

How to stay safe from malicious extensions

With this malicious extension in particular, it’s a good idea to enter either “chrome:extensions”, “edge:extensions” or “brave:extensions” depending on your browser to see if you have it installed. If you do, you should delete it immediately and consider using the best antivirus software to run a scan of your system just to be safe.

Likewise, you also should install one of the best Android antivirus apps and enable Google Play Protect on your smartphone to protect yourself from the FastViewer malware. Even if you haven’t, an Android antivirus app is certainly worth having on your smartphone now that mobile malware has become so prevalent.

As for avoiding malicious extensions in the first place, don’t ever install any extension or other software sent to you in an email. You also want to avoid opening emails from unknown senders as well as downloading any attachments they may contain.

The Kimsuky hacker group has a long history of launching a variety of attacks on unsuspecting users which means we’ll likely see their work again.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.