Security researchers have uncovered 89 malicious Google Chrome extensions on the official Chrome store that can inject ads, code to secretly mine cryptocurrency, and load a tool to record and replay a person's browsing activities. According to researchers at Trend Micro, this collection of extensions affected over 423,000 users and was used to form a new botnet called "Droidclub."

In November 2017, Princeton's Center for Information Technology highlighted the use of legitimate session-replay scripts on popular, high-traffic websites by third-party analytics firms. These scripts are used to record and replay a user's visit to a website, including mouse clicks, scrolling and keystrokes, allowing the site owner to figure out what the user saw.

Now, Trend Micro has observed hackers abusing these session-replay scripts to view what a victim does on every site they visit during a browsing session.

"These scripts are injected into every website the user visits," Trend Micro researcher Joseph Chen wrote in a blog post published on Thursday (1 February). "Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild."

The hackers first trick the dubious Chrome extensions using a combination of malvertising and social engineering such as false error messages asking users to download an extension onto their browser. Once installed, the extension checks if the command and control (C&C) server is online, downloads any necessary configuration code and reports back to the server.

"The extensions themselves are designed to appear innocent, if slightly nonsensical," researchers said.

The lifestyle-themed malicious extensions included names such as "Cheesy Barbecue Bacon", "Pickle Jalapenos", "Sugar Cookie Icing", "11 Pumpkin Flavored Foods", "DIY Cleaning Wipes", "Homemade Stress Balls" and more.

Droidclub Extension
Example of a seemingly innocent but malicious Droidclub extension Trend Micro

"A browser infected with Droidclub will periodically pop up a new tab displaying web advertising. Currently, this malware is being used to display low-quality advertising (such as those for pornographic sites) and/or exploit kits. The attacker behind Droidclub may be using this botnet to artificially raise the impressions of certain ads, resulting in increased views and revenue," researchers said.

Droidclub also injects a Javascript library from Yandex Metrica into visited websites on the victim's browser to enable session replay.

"Unfortunately, in the hands of an attacker, this represents a very powerful tool that can breach the user's privacy," Chen said. "The combination of the extension and the library can steal data entered into forms such as names, credit card numbers, CVV numbers, email addresses, and phone numbers. The library does not capture passwords by design, so these are not stolen by the threat actors."

Trend Micro also found an earlier version of Droidclub still active in the wild that injected the infamous cryptocurrency mining code Coinhive into visited websites, allowing the hackers to secretly mine Monero coins.

"While the current version does not have the code injection, the Coinhive code remains functional and could be re-inserted in the future," researchers noted.

The threat actors behind Droidclub also make it difficult for users to uninstall and report the malicious extension. If the extension detects that the user is trying to report the extension, it redirects the user to the introduction of their extension.

Users that try to remove it via Chrome's extension management page also find themselves redirected to a fake page that leads them to believe the extension has been uninstalled when it is actually still lurking on the user's browser.

Trend Micro has reached out to Google to remove the extensions and Cloudflare to take down the C&C servers. They have since been removed.

"We've removed the affected extensions from the Chrome Web Store and have disabled them on devices of all affected Chrome users," Google said in a statement to the security firm. "Keeping the extensions ecosystem free from malware and abuse has always been a priority and we are always working on closing gaps to address new abuse patterns that emerge.

"Currently, our security systems block more than 1,000 malicious extensions per month. If an extension looks suspicious, we encourage users to report it as potential abuse through the chrome web store page so we can review it in greater depth."

In a statement to IBTimes UK, a Yandex spokesperson said: "We built session replay to help website owners and marketers provide a better experience for users but like many other tools on the internet, it unfortunately has been used in a malicious way.

"We are working in every way possible to update our product to prevent particularly sensitive information from being detected and tracked. We have always been committed to the safety and security of users and their privacy online and we will continue to adjust to new challenges and threats as they emerge."

The report comes just weeks after ICEBRG researchers found four malicious Chrome extensions with over 500,000 installs infecting users around the world. In December 2017, another popular Chrome extension, Archive Poster, was discovered running Coinhive to mine cryptocurrency as well.