A lengthy malware campaign has stealthily morphed into a trusted presence within Chrome and Edge extensions, transforming them into spyware. According to Oi Security, ShadyPanda impacted 4.3 million users who unknowingly downloaded an extension that later received updates containing hidden malicious code.
Initially, these extensions were basic, innocuous tools like wallpapers and productivity aids. However, a few years down the line, silent updates introduced monitoring features that most users couldn’t detect.
ShadyPanda’s Evolution
This operation included 20 harmful Chrome extensions and 125 in the Microsoft Edge add-on store. Many of these appeared in 2018 without any obvious warning signs. Over the subsequent five years, they received gradual updates altering their functions.
Koi Security noted that these updates were implemented via each browser’s trusted automatic update system. Users don’t need to click on anything; there’s no phishing or fake alerts involved. Just a quiet version update that gradually converts a seemingly secure extension into a potent tracking tool.
Extensions’ Secret Activities
Once activated, the extensions would insert tracking codes into links, leading to revenue from user purchases. They would hijack search queries, redirect them, and collect data for future exploitation. ShadyPanda collected a diverse array of personal information—browsing histories, search terms, cookies, keystrokes, and more. After establishing trust in the store, attackers pushed a backdoor update that allowed for hourly remote code access, essentially giving them full control over users’ browsers.
Researchers found that the extension was capable of launching man-in-the-middle attacks, facilitating credential theft and session hijacking on various sites. Interestingly, if a user accessed developer tools, the extension would switch to a benign mode, evading detection. Google has since removed the harmful extension from the Chrome Web Store, affirming that none of the listed extensions are currently operational on their platform.
A representative from Microsoft also stated that all identified malicious extensions have been removed from the Edge Add-on Store. They emphasized taking swift action when violations are detected, which includes removing prohibited content.
For regular users, there’s no need for complex technical insights regarding the ShadyPanda campaign. The focus should be on checking installed extensions using the guidelines provided below.
How to Check for Malicious Extensions
To confirm whether a malicious extension ID is present, you can follow these simple steps:
For Google Chrome
- Open chromium.
- Type in the address bar: chrome://extensions.
- Press Enter.
- Search for each extension ID.
- Click on details for any extension.
- Scroll to locate the Extension ID section.
- Compare the ID with the provided list.
- If a match is found, remove the extension immediately.
For Microsoft Edge
- Open corner.
- Type in the address bar: edge://extensions.
- Press Enter.
- Click on details located under each extension.
- Scroll to find the Extension ID.
- If your ID matches, remove the extension and restart your browser.
Protecting Your Browser from Malicious Extensions
It’s crucial to secure your browser to protect your data.
1) Remove Suspicious Extensions
First, check installed extensions against the IDs from earlier. Many malicious ones were marketed as wallpapers or productivity tools. Notable mentions include Clean Master, WeTab, and Infinity V Plus. If you see any of these or similar ones, it’s wise to remove them.
2) Reset Your Password
As these extensions might access sensitive data, resetting your passwords is a good precaution. A password manager can help create robust passwords for each account.
3) Use a Data Deletion Service
ShadyPanda harvested browsing activity and identifiers, which could be matched with existing data broker records. Data deletion services can assist in reclaiming your privacy by removing published information from various sites. Although complete removal is impossible, using such services can significantly lessen your digital footprint.
4) Install Strong Antivirus Software
While antivirus software may not have flagged this specific threat, it can block other malware, scan for spyware, and identify unsafe websites. Many tools also offer cloud backup and VPN features, increasing your protection level.
5) Limit Extensions
Every extension heightens risk. Stick to well-known developers and check reviews. If an extension requests unnecessary permissions, you might want to reconsider its installation.
Key Takeaways
The ShadyPanda campaign demonstrated how undetected threats can persist for years. It underscores the need to be vigilant about changes in browser behavior regarding installed extensions. By limiting extension installations and routinely checking them, you can better guard against being tracked by hidden codes.
Have you encountered an extension that felt out of place on your browser? How did you handle it? Sharing experiences can shed light on ways to protect ourselves.
