14
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
The extensions share other dubious or suspicious similarities.
Much of the code in each one is highly obfuscated, a design choice that provides no benefit other than complicating the process for analyzing and understanding how it behaves.All but one of them are unlisted in the Chrome Web Store.
This designation makes an extension visible only to users with the long pseudorandom string in the extension URL, and thus, they dont appear in the Web Store or search engine search results.
Its unclear how these 35 unlisted extensions could have fetched 4 million installs collectively, or on average roughly 114,000 installs per extension, when they were so hard to find.Additionally, 10 of them are stamped with the Featured designation, which Google reserves for developers whose identities have been verified and follow our technical best practices and meet a high standard of user experience and design.One example is the extension Fire Shield Extension Protection, which, ironically enough, purports to check Chrome installations for the presence of any suspicious or malicious extensions.
One of the key JavaScript files it runs references several questionable domains, where they can upload data and download instructions and code: URLs that Fire Shield Extension Protection references in its code.
Credit: Secure Annex One domain in particularunknow.comis listed in the remaining 34 apps.Tuckner tried analyzing what extensions did on this site but was largely thwarted by the obfuscated code and other steps the developer took to conceal their behavior.
When the researcher, for instance, ran the Fire Shield extension on a lab device, it opened a blank webpage.
Clicking on the icon of an installed extension usually provides an option menu, but Fire Shield displayed nothing when he did it.
Tuckner then fired up a background service worker in the Chrome developer tools to seek clues about what was happening.
He soon realized that the extension connected to a URL at fireshieldit.com and performed some action under the generic category browser_action_clicked.
He tried to trigger additional events but came up empty-handed.
