Google Chrome extensions downloaded more than 32-million times were used to spy on the popular browser’s users in a massive global surveillance campaign, according to a new report.
The report, published by cybersecurity firm Awake Security, found at least 111 “malicious or fake” Chrome extensions capable of taking screenshots, stealing login credentials and capturing passwords as users typed them.
This spying campaign impacted a wide range of sectors across the web including financial services, healthcare and government organizations, the firm adds.
Browser extensions, such as the ones for Chrome allow users to add a myriad of new features previously unavailable to them. Extensions such as Netflix Party and Suspicious Site Reporter are examples of popular extensions.
Awake’s report highlights the potential for fraudulent extensions to do harm and compromise a wide variety of systems. “The actors behind these activities have established a persistent foothold in almost every network,” say researchers at the firm.
“We appreciate the work of the research community, and when we are alerted of extensions … that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesperson Scott Westover says in a statement to CNN.
“We do regular sweeps to find extensions using similar techniques, code, and behaviours, and take down those extensions if they violate our policies.”
Google has since confirmed that the spying-extension flagged by Awake has since been removed.
Awake linked all the extensions associated with the spying campaign back to Galcomm, an Israeli web hosting company that claims to manage around 250,000 browser domains.
“By exploiting the trust placed in it as a domain registrar, Galcomm has enabled malicious activity that has been found across more than a hundred networks we’ve examined,” Awake researchers said in the report, adding that they found more than 15,000 Galcomm domains that were “malicious or suspicious.”
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” the company told Reuters, denying its involvement in the campaign.