Nearly 80 Chrome extensions caught spying -- how to protect yourself

News
By Nicholas Fearn
last updated

79 malicious browser extensions booted by Google from the Chrome Web Store

Google Chrome
(Image credit: Shutterstock)

More than 100 malicious and fake Google Chrome browser extensions have amassed around 33 million downloads in total, according to an investigation by security firm Awake.

Security researchers discovered 111 malicious extensions that were downloaded by users of the Google Chrome browser and spread dangerous spyware. 

Reuters reported that the extensions claimed to warn users of dangerous websites and change the format of files when they actually had malicious intentions.

Some of the extensions never appeared in the Chrome Web Store, the full Awake report noted, but instead themselves installed the Chromium open-source version of Chrome so that they could run without Google's approval.

Awake said the extensions were able to take screenshots of the victims' devices, load malware and read clipboards, as well as harvest tokens and user input, among other malicious operations. 

The firm also found that the attackers used an infrastructure of 15,160 malicious or suspicious domains and were able to bypass sandboxes, endpoint detection and response solutions and web proxies. 

Cybercriminals bought the domain names from GalComm, an Israel-based domain registrar. GalComm's owner told Reuters that his company was not aware that it was being used as part of a malicious campaign.

However, the Awake report said that nearly 60% of the GalComm-registered domains that Awake researchers could reach were "malicious or suspicious." It added that "GalComm is at best complicit in malicious activity."

Awake co-founder and chief scientist Gary Golomb suggested that this was the most far-reaching malicious campaign found on the Google Chrome Store. 

The researchers aren’t sure who is behind the attack, but told Reuters that the attackers used fake contact details when applying to have their extensions published on the Chrome Web Store.

Taking action

After learning of the malicious extensions last month, Google removed 79 of them. A spokesman for the tech giant, Scott Westover, told Reuters:  “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”

“Illicit extensions usually require permissions to grant further access to data on your machine which users must be vigilant of," Jake Moore, a security specialist at ESET, told Tom's Guide. 

"It's vital to check which permissions a browser extension requires especially when it’s free as some can be harmful," he said. “Just like downloading anything to your device, I would always advise caution with add-ons as Google cannot verify each extension independently.”

Remember, if you have a Chrome browser extension installed, but you don't need it at the moment, you can always go to chrome://extensions/ to disable it without removing it. (You can enable it when you need it.) Doing so will make Chrome run faster and free up memory on your computer.

The malicious Chrome extensions

It doesn't make for interesting reading, but here's the full list of the extension IDs of all 111 malicious Chrome (and Chromium) extensions that Awake discovered. 

Unfortunately, if you want to see if any of the extensions you've added to Chrome are on this list, you've got to do so manually. 

Right-click or control-click the icon of a running extension in upper right corner of the browser, and select "Manage extensions." A new tab will open describing the extension, and in the address bar of the tab, you'll see something that looks like "chrome://extensions/?id=oiigbmnaadbkfbmpbfijlflahbdbdgdf." 

That long string of gibberish is a 32-character extension ID. Compare each of your extensions' IDs to the list below, and if anything matches, remove the extension.

  • acmnokigkgihogfbeooklgemindnbine
  • apgohnlmnmkblgfplgnlmkjcpocgfomp
  • apjnadhmhgdobcdanndaphcpmnjbnfng
  • bahkljhhdeciiaodlkppoonappfnheoi
  • bannaglhmenocdjcmlkhkcciioaepfpj
  • bgffinjklipdhacmidehoncomokcmjmh
  • bifdhahddjbdbjmiekcnmeiffabcfjgh
  • bjpknhldlbknoidifkjnnkpginjgkgnm
  • blngdeeenccpfjbkolalandfmiinhkak
  • ccdfhjebekpopcelcfkpgagbehppkadi
  • cceejgojinihpakmciijfdgafhpchigo
  • cebjhmljaodmgmcaecenghhikkjdfabo
  • chbpnonhcgdbcpicacolalkgjlcjkbbd
  • cifafogcmckphmnbeipgkpfbjphmajbc
  • clopbiaijcfolfmjebjinippgmdkkppj
  • cpgoblgcfemdmaolmfhpoifikehgbjbf
  • dcmjopnlojhkngkmagminjbiahokmfig
  • deiiiklocnibjflinkfmefpofgcfhdga
  • dipecofobdcjnpffbkmfkdbfmjfjfgmn
  • dopkmmcoegcjggfanajnindneifffpck
  • dopmojabcdlfbnppmjeaajclohofnbol
  • edcepmkpdojmciieeijebkodahjfliif
  • ekbecnhekcpbfgdchfjcfmnocdfpcanj
  • elflophcopcglipligoibfejllmndhmp
  • eogfeijdemimhpfhlpjoifeckijeejkc
  • fcobokliblbalmjmahdebcdalglnieii
  • fgafnjobnempajahhgebbbpkpegcdlbf
  • fgcomdacecoimaejookmlcfogngmfmli
  • fgmeppijnhhafacemgoocgelcflipnfd
  • fhanjgcjamaagccdkanegeefdpdkeban
  • flfkimeelfnpapcgmobfgfifhackkend
  • fmahbaepkpdimfcjpopjklankbbhdobk
  • foebfmkeamadbhjcdglihfijdaohomlm
  • fpngnlpmkfkhodklbljnncdcmkiopide
  • gdifegeihkihjbkkgdijkcpkjekoicbl
  • gfcmbgjehfhemioddkpcipehdfnjmief
  • gfdefkjpjdbiiclhimebabkmclmiiegk
  • ggijmaajgdkdijomfipnpdfijcnodpip
  • ghgjhnkjohlnmngbniijbkidigifekaa
  • gllihgnfnbpdmnppfjdlkciijkddfohn
  • gmmohhcojdhgbjjahhpkfhbapgcfgfne
  • gofhadkfcffpjdbonbladicjdbkpickk
  • hapicipmkalhnklammmfdblkngahelln
  • hijipblimhboccjcnnjnjelcdmceeafa
  • hmamdkecijcegebmhndhcihjjkndbjgk
  • hodfejbmfdhcgolcglcojkpfdjjdepji
  • hpfijbjnmddglpmogpaeofdbehkpball
  • ianfonfnhjeidghdegbkbbjgliiciiic
  • ibfjiddieiljjjccjemgnoopkpmpniej
  • inhdgbalcopmbpjfincjponejamhaeop
  • iondldgmpaoekbgabgconiajpbkebkin
  • ipagcbjbgailmjeaojmpiddflpbgjngl
  • jagbooldjnemiedoagckjomjegkopfno
  • jdheollkkpfglhohnpgkonecdealeebn
  • jfefcmidfkpncdkjkkghhmjkafanhiam
  • jfgkpeobcmjlocjpfgocelimhppdmigj
  • jghiljaagglmcdeopnjkfhcikjnddhhc
  • jgjakaebbliafihodjhpkpankimhckdf
  • jiiinmeiedloeiabcgkdcbbpfelmbaff
  • jkdngiblfdmfjhiahibnnhcjncehcgab
  • jkofpdjclecgjcfomkaajhhmmhnninia
  • kbdbmddhlgckaggdapibpihadohhelao
  • keceijnpfmmlnebgnkhojinbkopolaom
  • khhemdcdllgomlbleegjdpbeflgbomcj
  • kjdcopljcgiekkmjhinmcpioncofoclg
  • kjgaljeofmfgjfipajjeeflbknekghma
  • labpefoeghdmpbfijhnnejdmnjccgplc
  • lameokaalbmnhgapanlloeichlbjloak
  • lbeekfefglldjjenkaekhnogoplpmfin
  • lbhddhdfbcdcfbbbmimncbakkjobaedh
  • ldoiiiffclpggehajofeffljablcodif
  • lhjdepbplpkgmghgiphdjpnagpmhijbg
  • ljddilebjpmmomoppeemckhpilhmoaok
  • ljnfpiodfojmjfbiechgkbkhikfbknjc
  • lnedcnepmplnjmfdiclhbfhneconamoj
  • lnlkgfpceclfhomgocnnenmadlhanghf
  • loigeafmbglngofpkkddgobapkkcaena
  • lpajppfbbiafpmbeompbinpigbemekcg
  • majekhlfhmeeplofdolkddbecmgjgplm
  • mapafdeimlgplbahigmhneiibemhgcnc
  • mcfeaailfhmpdphgnheboncfiikfkenn
  • mgkjakldpclhkfadefnoncnjkiaffpkp
  • mhinpnedhapjlbgnhcifjdkklbeefbpa
  • mihiainclhehjnklijgpokdpldjmjdap
  • mmkakbkmcnchdopphcbphjioggaanmim
  • mopkkgobjofbkkgemcidkndbglkcfhjj
  • mpifmhgignilkmeckejgamolchmgfdom
  • nabmpeienmkmicpjckkgihobgleppbkc
  • nahhmpbckpgdidfnmfkfgiflpjijilce
  • ncepfbpjhkahgdemgmjmcgbgnfdinnhk
  • npaklgbiblcbpokaiddpmmbknncnbljb
  • npdfkclmbnoklkdebjfodpendkepbjek
  • nplenkhhmalidgamfdejkblbaihndkcm
  • oalfdomffplbcimjikgaklfamodahpmi
  • odnakbaioopckimfnkllgijmkikhfhhf
  • oklejhdbgggnfaggiidiaokelehcfjdp
  • omgeapkgiddakeoklcapboapbamdgmhp
  • oonbcpdabjcggcklopgbdagbfnkhbgbe
  • opahibnipmkjincplepgjiiinbfmppmh
  • pamchlfnkebmjbfbknoclehcpfclbhpl
  • pcfapghfanllmbdfiipeiihpkojekckk
  • pchfjdkempbhcjdifpfphmgdmnmadgce
  • pdpcpceofkopegffcdnffeenbfdldock
  • pgahbiaijngfmbbijfgmchcnkipajgha
  • pidohlmjfgjbafgfleommlolmbjdcpal
  • pilplloabdedfmialnfchjomjmpjcoej
  • pklmnoldkkoholegljdkibjjhmegpjep
  • pknkncdfjlncijifekldbjmeaiakdbof
  • plmgefkiicjfchonlmnbabfebpnpckkk
  • pnciakodcdnehobpfcjcnnlcpmjlpkac
  • ponodoigcmkglddlljanchegmkgkhmgb
Nicholas Fearn

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

2 Comments Comment from the forums
  • AFatBlackCat
    You can also find a list of all installed Chrome extensions in the folder located at:

    C:\Users\YOURUSERNAME\AppData\Local\Google\Chrome\User Data\Default\Extensions

    To see the above folder:
    Open a Run command (Press Windows key + R).
    Paste or type the above directory location (path) in the text box to the right of "Open:"
    Replace YOURUSERNAME in the command with your Windows user account's name.
    Press Enter/Return on your keyboard. A Windows File Explorer window will open showing you a list of folders whose names are the Chrome extension IDs installed in your Chrome browser.
    Compare the listed folder names with those listed in the article.
    If you find that you have a folder matching one of those in the article delete it.================
    To delete (remove, uninstall) an extension in Chrome:
    Open Chrome.
    Press ALT + D to go to the address field.
    Type chrome://extensionsPress Enter/Return key.
    Find the extension you want to remove, click Remove.
    Confirm removing by clicking Remove.
    The extension has now been removed from Chrome.
    Reply
  • javierdl
    In Opera I see my extensions at. But I do not see the 32-character extension IDs :(
    Reply