Google has successfully expunged 32 malicious extensions from its Chrome Web Store, extensions that were found to have the ability to modify search outcomes and deliver spam or unwelcome advertisements. These extensions had been downloaded collectively around 75 million times.

To deceive the users into believing in their legitimacy, these extensions were constructed with legitimate functionality. Their true intent, however, lay hidden in an obfuscated code, meant for malicious delivery.

Wladimir Palant, a prominent cybersecurity investigator, studied the PDF Toolbox extension, downloaded by 2 million users from the Chrome Web Store. He discovered that the extension concealed a code, made to appear as a legitimate extension API wrapper.

In a detailed analysis published in mid-May, it was reported by the investigator that the concealed code had the capacity to enable the “serasearchtop[.]com” domain to insert arbitrary JavaScript code into any site visited by the user.

This surreptitious addition had the potential for various abuses, from placing ads into web pages to pilfering confidential data. But no ill-intentioned activities were witnessed by Palant, leaving the real intent of the code undetermined.

He also reported that the concealed code was programmed to trigger 24 hours post the installation of the extension, a trait often connected with harmful intent.

Not long ago, Palant published an additional report, alerting that he had identified the same dubious code in another 18 Chrome extensions with an accumulative download of 55 million. Some notable instances were:

• Autoskip for Youtube – with 9 million active users.
• Soundboost – having 6.9 million active users.
• Crystal Ad block – with 6.8 million active users.
• Brisk VPN – attracting 5.6 million active users.
• Clipboard Helper – sporting 3.5 million active users.
• Maxi Refresher – with 3.5 million active users.

Despite the publication of Palant’s second report, these extensions were still accessible in the Chrome Web Store.

Pursuing his inquiry, Palant identified two versions of the suspicious code: one disguised as Mozilla’s WebExtension browser API Polyfill, the other as the Day.js library.

Both variants, however, contained the same unauthorized JS code injection method involving serasearchtop[.]com.

Despite not detecting any clear harmful activity, the investigator noted numerous user reports and reviews on the Web Store that suggested the extensions were executing redirections and search result hijacking.

Despite Palant’s efforts to report these questionable extensions to Google, they remained accessible to the users from the Chrome Web Store.

However, Avast, a cybersecurity company, confirmed the harmful nature of these extensions and reported them to Google earlier today, increasing the total count to 32 entries. Together, these amounted to 75 million installations.

Avast pointed out that while these extensions seemed harmless to unsuspecting users, they were, in fact, adware that commandeered search results to display sponsored links and paid results, occasionally even serving harmful links.

Before Avast revealed its discoveries, a spokesperson from Google responded to BleepingComputer’s request for comment by confirming that the “reported extensions have been removed from the Chrome Web Store.”

Google stressed the seriousness of security and privacy claims against extensions and assured that they take appropriate action when they detect extensions that violate their policies.

As per the Google representative, “The Chrome Web Store has policies in place to ensure user safety, and all developers are expected to adhere to these.”

Avast emphasized the significant repercussions of these extensions, which affected tens of thousands of its customers and potentially millions around the globe.

For its own customers, Avast selectively neutralized only the harmful components within the extensions, allowing the legitimate features to operate without disruption.

Although the 75 million downloads figure seems alarming, Avast suspects that the number may have been “artificially inflated.” A comprehensive list of the harmful extensions (IDs) is available in Avast’s report.

Users should be aware that the mere removal of extensions from the Chrome Web Store does not mean automatic deactivation or uninstallation from their browsers. Thus, manual intervention is necessary to mitigate the risk.