Security researchers at Reason Labs discovered three malicious Chrome web extensions that were installed on 1.5 million installations of the web browser. Distributed via torrents, these extensions acted as legitimate VPN extensions on first glance.

The extensions appear to have been spread via torrent files of popular video games. Reason Labs mentions Grand Theft Auto, The Sims 4, Heroes 3 and Assassins Creed torrents specifically, but there may have been other games. It found the trojan installer in over 1000 different torrent files that promised access to commercial games.

The downloaded setup files had a size between 60MB and 100MB. One common signee name was Spice & Wok Limited, but there have been others as well.

When the installer gets executed on the user's device, it unpacks one of the three malicious extensions on the system and installs it in the browser without user interaction. The extension is installed via a Windows Registry key, SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings\.

A method to install extensions in Chrome that bypasses users entirely is not new. Back in 2014, security researchers discovered a method to install Chrome extensions without any user interaction.

Two different extensions, netSave for Chrome and netPlus for Microsoft Edge, do get installed on the user's system. The malicious Chrome extension was installed 1 million times according to the researchers.

The JavaScript code has more than 20,000 lines according to the researchers, which makes it difficult to analyze. The researchers discovered that it runs a fake VPN and what they call a cashback activity hack.

Once the extension is installed, it will disable other cashback extensions that may be installed in the infected web browser. It also delivers a fake VPN user interface to hide its true intentions from the user.

The extensions are in Russian and they appear to target Russian speaking regions and users, including Russia, the Ukraine or Kazakhstan.

Reason Labs informed Google about the malicious extensions. Google has removed the extensions in the meantime from the Chrome Web Store.

Chrome and Edge users who download torrent files may want to check the list of installed extensions in the browser to make sure that these extensions are not installed on their devices.

Research Labs notes that the developer of the extensions seems to have created other extensions. The company recommends that users installed extensions, games and programs from legal and legitimate sources only. It also recommends running up-to-date antivirus software, avoid clicking on unknown links or popups, and to enable two-factor authentication wherever possible.

Additional information, including technical details, can be found on the ReasonLabs website.

Now You: do you use browser extensions?