This PDF Chrome extension might contain malware

The post has been updated. The original date of publication was June 1, 2023.

A security researcher independent of the company discovered malicious code within 18 Chrome extensions available today in the Chrome Web Store. More than 57 million active users use the extensions. This is yet another reason to believe that Chrome extensions should be assessed with an objective eye.

Chrome extensions are applications that are built on the top the foundation of Google Chrome that allow you to add additional functions to your internet browser. The tasks this customizable feature can accomplish are numerous; however, some of the most popular extensions can automate filling in the password of your choiceblock ads, provide single-click access to your list of tasks and alter how a social media site appears. Unfortunately, since Chrome extensions are mighty and have much control over your experience, They are often a victim of hackers and other criminals.

In the last month, a security analyst Wladimir Palant discovered a vulnerability within a browser extension dubbed PDF Toolbox that permits it to insert malicious JavaScript code into every website you go to. The extension claims to be a simple PDF processor, able to do things such as convert other documents to PDF, combine two PDFs, and download PDFs from open tabs.

This feature leaves the PDF Toolbox open to bad intentions. Google demands extension developers only to have the minimum permissions required. To save PDFs to tabs that aren’t open, the PDF Toolbox must be able to connect to every website that you are currently browsing. This capability will allow it to access your browser differently and legitimately.

Although PDF Toolbox can do everything PDF-related tasks it claims to perform, it downloads and executes the JavaScript files from an unrelated website that could contain code that can accomplish nearly anything, including capturing all the information you input within your internet browser. This can redirect you to fake sites and control everything you view online. By creating the code that appears to be the legitimate API call but obscuring the code so that it’s difficult to understand and delaying the malicious call for up to 24 days, PDF Toolbox has been successful in avoiding removal from Google’s Chrome Web Store by Google since its last update on January 20, 2022. (It is available as of this writing, even despite Palant making a formal complaint concerning the malicious software.)

When he first came across it, Palant could not find a way to confirm the malware within PDF Toolbox. But yesterday, he revealed 17 additional browser extensions that utilize the same method to download and execute the JavaScript file. This includes Autoskip to Youtube, Crystal Ad block, Brisk VPN, Clipboard Helper Maxi Refresher, Quick Translation, Easyview Reader view, Zoom Plus Base Image Downloader Clickish fun cursors the Maximum Color Changer on Youtube and Reader mode, Image Download Center, Font Customizer Easy to undo closed Tabs OneCleaner and Repeat button. There are probably more infected extensions. These were the only ones that Palant discovered in a test of about 1,000 extensions.

Along with locating other targeted extensions, Palant has been able to verify what the malware had been doing (or at least did previously). The wings turn people’s Google queries to other search engines, possibly in exchange for a tiny fee for affiliates. They could bring in substantial profits through the spread of millions of users and generate a profit for the developers.

Unfortunately, code injection is code injection. Even though the dangerous JavaScript relatively harmlessly directed Google searches to other search websites in the past doesn’t mean it will continue to do precisely the same thing in the present. “There are way more dangerous things one can do with the power to inject arbitrary JavaScript code into every website,” Palant writes. Palant.

What kind of risky items are they? These extensions may collect information from the browser by putting ads on each page a user is on or even storing the online banking details and credit card numbers. A malicious JavaScript running without checking within your web browser can be extremely powerful.

If you’ve got one of the affected extensions on your PC, you should remove it immediately. It’s an excellent idea to quickly review the other extensions you’ve installed to confirm you’re still using them and that they appear authentic. If you do not, then you must take them off too.

If not, consider this an opportunity to be aware of any potential malware. For more information on combatting it, please read our guide to removing malware from your PC.

It was updated on June 2, 2023. A Google spokesperson explained: “The Chrome Web Store has policies to ensure that users secure, and that developers must follow. We are committed to taking privacy and security assertions against extensions seriously and if we discover extensions that do not comply with our guidelines We take the appropriate steps. The extensions that were reported were taken off the Chrome Web Store.”


Leave a reply