Skip to main content

New Chrome malware spies on your Gmail — what to do now

gmail
(Image credit: Shutterstock)

Gmail users on Google Chrome or Microsoft Edge should be aware of new email-reading malware recently identified by Volexity (opens in new tab), which it's named SHARPEXT.

SHARPEXT is thought to come from a hacking group named SharpTongue (or Kimsuky as it's called by other security firms), which is backed by North Korea. It's been active for over a year and has stolen thousands of messages and files from Gmail and AOL email accounts. Currently, SHARPEXT has only been observed in use on Windows devices, though Volexity says it's possible the malware could work on macOS and Linux systems too.

How SHARPEXT infects victim's systems

Malware

(Image credit: solarseven/Shutterstock)

Victims are convinced to open a document containing the malware through spear phishing and social engineering scams. The malware has been seen operating in browser extensions for Chrome, Edge and the Korean browser Naver Whale, which are all based on Google's Chromium platform. It also seems to be aimed at U.S., European and South Korean users, specifically those who work in areas deemed a threat to North Korea, such as nuclear weaponry.

Once installed, the malware then inserts itself through the Preferences and Secure Preferences files within the browser, and then enables its email-reading/downloading abilities, while also hiding any warning windows that could pop up and alert the user that an unverified extension is running on their device.

The extensions that carry SHARPEXT are hard to spot since there's nothing in them that would trigger a response from an antivirus scanner, with the dangerous parts running from a separate server. It's also hard to notice a data theft in progress through SHARPEXT since you'll have already entered your credentials to access your email, allowing the extension to check and copy data as you view it.

Protecting yourself from this email-reading malware

If you're worried you or someone you know is at risk from this malware, Volexity has put together a list of indicators of compromise (IOCs) on Github that can be used to identify if a machine's been infected. Otherwise, you can double-check which browser extensions you're using, particularly if any can't be found on the Chrome Web Store or have been installed in unusual ways, and remove any that look suspicious. You should also ensure you've got one of the best antivirus software programs installed to add some extra protection to your devices.

Next: Google search just got a big upgrade that speeds up searches (opens in new tab). And you can try it now. 

Richard Priday
Richard Priday

Richard is a Tom's Guide staff writer based in London, covering news, reviews and how-tos for phones, gaming, audio and whatever else people need advice on. Following on from his MA in Magazine Journalism at the University of Sheffield, he's also written for WIRED U.K., The Register and Creative Bloq. When not at work, he's likely thinking about how to brew the perfect cup of specialty coffee.