Skip to content
Naked Security Naked Security

More crypto-stealing Chrome extensions swatted by Google

Google deleted more malicious extensions from the Chrome Web Store after they were found to be phishing cryptocurrency users.

Malicious extensions for the Chrome browser continue to spring up just as quickly as the search giant cuts them down. This month, another batch appeared.
Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after Harry Denley, director of security at MyCrypto, found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more.
Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store.
Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive, according to Denley, who said:

Yeah, they have been, for the majority. Actioned my reports within 24 hours.

New rules

Google has acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store. It said:

We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.

The rules forbid developers from publishing multiple extensions that do the same thing, and prohibits misleading metadata, including anonymous user testimonials in app descriptions. Developers can’t upload extensions that exist solely to launch another app or extension, and they shouldn’t send spam notifications, the company added.

It said that developers must comply with the policy after 27 August 2020. After that point, apps violating the rules “may be taken down and disabled”.
The problem, according to Dan Finlay, the lead developer at crypto wallet company MetaMask, is that Google allows phishing ads that point to fake extensions. Initially talking about shortcomings in the company’s manual extension review process, he said:

Finlay said that he reported the problem, sending trademark notices and bug reports, but that Google didn’t reply. What he’d really like to see is the ability to block other extensions or ads from using MetaMask’s name.
Denley agreed. He told us:

The official MetaMask extension has over 1,000,000 users – you’d assume Google would have some sort of plan to tackle any potential fake extensions with the Metamask branding.

Weirdly, while Google has been quick to take down most fake cryptocurrency wallet extensions, at the time of writing (7am BST) one of the fake MetaMask extensions was still up. Its listing reports 380 users.
The best advice:

  • Install as few extensions as possible and, despite the above, only from official web stores.
  • Check the reviews and feedback from others who’ve installed the extension.
  • Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
  • Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!