Google Removes 49 Spurious and Fake Chrome Extensions Capable of Stealing Crypto Data

16. Apr 2020 Posted by Akolkar B on News

The crypto industry has been plagued with several illicit players for the long time and sadly they continue to exist even today. In a major clean-up act, tech giant Google has removed nearly 49 chrome extensions that have been found of having spurious activities such as stealing cryptocurrency data.

In a Medium post written on Tuesday, April 14, Harry Denley, director of security at cryptocurrency wallet startup MyCrypto, wrote that he has got the extensions removed from Chrome’s store in 24 hours by taking help from phishing-specialized cybersecurity firm PhishFort. 

The removed Chrome extensions also included the ones that targeted some software wallets like MyEtherWallets, Jex, Exodus, Metamask, and Electrum and even some hardware wallets like KeepKey, Ledger, and Trezor.

These extensions triggered the wallet users to enter their credentials like private keys, mnemonic phrases, and keystone files, used to access the wallets. Once they managed to get this credentials, the hackers would then steal the cryptocurrencies stored in the wallets.

Moreover, some of the chrome extensions had good rating for them in the store. However, upon careful observation it was found that they were not genuine reviews but repeated from the same users several times.

“Some of the extensions have had a network of fake users rate the app with 5 stars and give positive feedback on the extension to entice a user to download it,” Denley noted.

Upon further investigation, it was found that there were around 14 control servers behind all the chrome extensions. However, by fingerprinting analysis it was found that some of the servers were managed by the same bad actors. Denley thus found that most of the extensions were controlled by the same bad actors.

Denley said that the extensions were basically containing malicious files and stored any details entered in them. It later sent this information to a remote server or a Google form. The report further stated that all the extensions were developed by a single group having its link to Russia.