Browser extensions can be a very useful thing. Their functionality ranges from research tools to small games to navigation aids. As it happens, this originally useful feature of modern browsers can also be abused by criminals for less than helpful purposes. We took a look at one such case.
Regular users of illegal streaming websites are in a more exposed position here. Many of those websites are bursting at the seams with ad banners. The use of ad banners for malicious intents is nothing new, either. “Malvertising” (a coined term which consists of Malicious and Advertising) as a means of distributing malware has been around for a while, too. In this case, however, an ad banner is used to install a browser extension. It claims to show SEO (Search Engine Optimization) data, which in itself is not harmful at all. For this reason, many users are likely to allow the installation of this extension.
However, in the background the extension runs some functions, which are potentially malicious. In one case, search queries which are originally entered on the Google search form are redirected to a different search engine. This is more of a nuisance for the user, since he / she wanted to use the Google search. The author of this browser extension makes a profit from annoying people: for each redirected query, he receives a commission. This might only be fractions of a cent for each individual case, taking into account that the extension is probably installed on a large number of devices globally, each one of them probably amounts to a nice pile of cash.
Malicious browser extensions (or, at least, extensions which have potentially unwanted functions) are becoming a problem. Those extensions can redirect traffic for profit and even install cryptocurrency miners. Those in turn can drive the electricity bill up and cause increased wear and tear on a system. All of those have in common that they are relatively hard to detect.
You can find the technical details in our analysis report, which you can download by clicking the preview image below.