Google Chrome Users Targeted in 'Massive Global Surveillance Campaign'

Google has removed dozens of malicious extensions from its Chrome Web Store after a cybersecurity firm uncovered a "massive global surveillance campaign" that was recently targeting users of the popular internet browser.

The Alphabet-owned search giant told Reuters more than 70 suspicious add-ons were purged from its browser after the issue was raised by Awake Security, a Santa Clara, California-based outfit that uses artificial intelligence to hunt for threats.

Researchers at Awake Security found there had been at least 32,962,951 downloads of "malicious or fake" extensions, more than 100 add-ons total, as of May 2020.

The team alleged unknown attackers' infrastructure was relying on web domains from a single registrar in Israel: CommuniGal Communication Ltd., or GalComm.

Awake Security wrote in a blog: "In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions.

"These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords)."

Of 26,079 accessible domains registered through GalComm, researchers found almost 60 percent (15,160) were malicious or suspicious, hosting malware or browser-spying tools. The domains, which used evasion techniques, have been published online.

According to Reuters, most of the free add-ons claimed to warn users about suspicious websites or posed as file-conversion software, but would actually steal data.

Responding, Google spokesperson Scott Westover told Reuters: "When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses."

Gary Golomb, co-founder and chief scientist of Awake Security, said it was one of the most "far-reaching" Chrome store campaigns ever seen, but GalComm owner Moshe Fogel told Reuters via email his firm was not involved in nefarious activity.

Google has been contacted for comment by Newsweek.

In its report about the campaign, Awake Security's research team described the attack as an "equal opportunity spying effort" because it did not appear to have been targeted. It accused GalComm of "exploiting the trust placed in it as a domain registrar."

The team said registrars acting in bad faith provide a platform for criminals and nation-states to "deliver malicious sites, tools and extensions without consequences."

Researchers warned browsers hold more sensitive data than ever before, in many cases applications like Google, Facebook or Zoom become embedded in them.

"After analyzing more than 100 networks across financial services, oil and gas, media, entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network," researchers wrote.

"Trust in the internet and its infrastructure is critical. Exploiting key components of this infrastructure... shakes the foundation of trust and represents a risk to organizations and consumers alike." For now, the culprits behind the scheme remain unknown.

Google logo
A picture taken on August 28, 2019 shows the US multinational technology and Internet-related services company Google logo application Amazon displayed on a tablet in Lille. DENIS CHARLET/AFP/Getty