Malicious Chrome VPN Extensions Force-Installed 1.5 Million Times
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
- Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor
In a recently discovered malware campaign, 3 Chrome or Edge extensions disguised as VPNs were installed 1.5 million times.
Discovered by researchers at ReasonLabs , the fake extensions were spread through an installer hidden in torrents posing as popular video games like Grand Theft Auto, Assassins Creed, and The Sims 4.
Upon discovery, the extensions were reported to Google, which immediately removed them from the Chrome Web store. Despite this, the extensions netSave and netWin together accounted for around 500,000 installs, while netPlus had been installed a million times.
The campaign appears to be targeting the Russian-speaking community as the extensions were found to be in Russian. ‘’Using data derived from ReasonLabs users, we were able to identify tens of thousands of users infected with the Trojan across Russia, Ukraine, Kazakhstan, Moldova, and more – countries with many Russian speakers,’’ the report revealed.
The ReasonLab team discovered over a thousand different torrent files delivering the malicious installers, measuring between 60MB and 100MB in size. The malicious VPN installers unpack automatically and forcefully install one of the three to the users’ browser, without requiring any user permission. It also checks the machine for the presence of any antivirus product.
The dubious extensions had a realistic VPN user interface with limited functionalities and a paid subscription to appear legitimate. Furthermore, its code analysis revealed that it not only disabled other cashback and coupon extensions on the browser, but it also deployed a cashback activity hack.
The code also revealed that the extension has access to “tabs,” “storage,” “proxy,” “webRequest,” “webRequestBlocking,” “declarativeNetRequest,” “scripting,” “alarms,” “cookies,” “activeTab,” “management,” and “offscreen.”
By granting itself the needed authorisation, the extensions can exploit the offscreen permission, which allows the malware to run scripts using the Offscreen API. It then stealthily interacts with the webpage DOM to steal user data and disable existing browser extensions.
The report reveals the growing threat caused by pirated and fake extensions. Thus, making it necessary for users to check reviews and download applications from official, verified sources.
Android Banking Trojan Chameleon Now Bypasses Biometric Authentication
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
- Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor
A dangerous new variant of the Android banking malware Chameleon re-emerged with the ability to take over devices and bypass biometric measures to steal passwords and PINs.
Discovered by security researchers at ThreatFabric, the trojan now targets Android users in Italy and the UK. The previous version, identified in April 2023 , was known to target users in Australia by disguising itself as the Australian Taxation Office (ATO) and popular banking apps in Poland.
“Representing a restructured and enhanced iteration of its predecessor, this evolved Chameleon variant excels in executing Device Takeover (DTO) using the accessibility service, all while expanding its targeted region,” the company said .
Disguised as a Google Chrome app, the new variant is distributed via the Zombinder app-sharing service. Sold on the dark web, the dropper-as-a-service (DaaS) is used to attach malware to legitimate apps.
The current version has two distinct features. One, displaying a HTML page that guides users to enable Accessibility Services in Android devices, having the “Restricted Settings” feature of Android 13.
This security feature is meant to block the approval of dangerous permissions that helps hackers deploy Account and Device takeover attacks, grant itself permission, and steal files and data.
Second, by using the Accessibility service the malware can bypass any biometric prompt like face and fingerprint unlock and force the device to return to pattern, PIN, or password authentication. By doing this, the threat actor can later unlock the device at will and perform any malicious activity.
In addition to the above features, the new Chameleon variant also has the capability to schedule tasks using the AlarmManager API. The API helps you define, run, and manage any activity.
“The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” ThreatFabric said. “Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features.”
