Google has removed 49 extensions from the Chrome store that were stealing users' data and credentials. Many also suffered from cryptocurrency theft
They looked like legitimate Chrome extensions to manage their cryptocurrency wallets but, in reality, all they were doing was stealing access data to the wallet itself and then, in some cases, stealing the virtual currency as well. Google, for this reason, has removed them all for a total of 49 extensions.
The discovery of these malicious extensions we owe, however, not to Google but, as often happens, to a researcher from a computer security company. The information was turned over to the Mountain View giant that, after noticing the actual dangerousness of these Chrome extensions, removed them from the store. The researcher in question is Harry Denley, who runs MyCripto, and in an interview with ZDNet also explained how the removed extensions worked. And it's a very peculiar and interesting way of working.
How the 49 dangerous Chrome extensions worked
The 49 extensions discovered and removed from Google's store did nothing but imitate the legitimate ones of crypto-wallet apps (i.e. apps to manage your cryptocurrency wallet) like Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeepKey. And they mimicked them really well, displaying an interface virtually identical to the original one. Only, in addition to allowing the user to manage his cryptocurrencies, they also proceeded to send wallet access data to the developer of the extensions.
According to Denley all the extensions were developed by the same person or group of people, most likely based in Russia. What's even more interesting is that installing one of these extensions didn't automatically result in the loss of one's virtual currency: apparently the developers proceeded manually to steal the cryptocurrency, only from the most substantial wallets. But some thefts, according to Denley, there certainly were.
There will be more
According to Denley, moreover, it is almost certain that there are still other similar extensions to be discovered, because the developer (or group of developers) who made these 49 extensions would seem to be able to operate on a fairly large scale. Denley therefore invites users to report suspicious extensions to MyCripto, which will check them and register them on CryptoScamDB, a database that collects many other dangerous extensions and apps for cryptocurrency traders.