Dangerous Chrome extensions

Someone tried to use popular Google Chrome Extensions for secretly playing videos in users’ browsers to inflate view counts.

Why Kaspersky solutions alert users about Google Chrome and how to solve the problem (the culprits are Frigate, SaveFrom and other extensions)

Yesterday morning, our solutions started giving many Google Chrome users repeated threat warnings. Trojan.Multi.Preqw.gen, which Chrome tried to download from a third-party site, was specified as the source of the threat. We explain what it’s all about and how to solve the problem.

Malicious extensions

Our experts in collaboration with their colleagues at Yandex discovered that some culprits had abused more than twenty browser extensions to make Chrome work for them on users’ computers. The extensions that were made to perform malicious activity included a few fairly popular ones: Frigate Light, Frigate CDN and SaveFrom.

These extensions installed in more than 8 million users’ browsers accessed a remote server in the background, trying to download malicious code, a process that our security solutions detect as dangerous.

What were the attackers up to, and how did that threaten users?

The attackers were interested in generating traffic to videos. In other words, the extensions were secretly playing certain videos in the users’ browsers, inflating view counts on streaming sites.

The invisible video player was only activated when the user was actually browsing, so that the inevitable slowing down of the computer could be attributed to Chrome’s usual lag when under load.

According to our colleagues at Yandex, the users of some of the extensions could occasionally hear the sound from the videos that were being played in the background.

Besides that, the malicious plug-ins intercepted access to a social network, probably for inflating like counts later. Regardless of the actual goals, a compromised social media account is something one would rather avoid.

What can be done?

If your security solution starts detecting threats in Google Chrome or any other Chromium-based browser, the first thing you need to do is disable the malicious plug-ins, as those are what the security application reacts to. If you are not sure which of the plug-ins is dangerous, try disabling them one at a time until you find the right one(s).

Yandex, for their part, has automatically disabled a number of extensions in its Yandex.Browser (which too is based on Chromium), and continues to look for other plug-ins that pose a threat.

If you are not using Kaspersky products yet, but you suspect that there is a dangerous application on your computer, it might make sense to install one of our solutions for home users. Then again, it makes sense to do that in any case.