Follow us:
  1. Home
  2. News
  3. Cybersecurity News

Security researchers find malicious code in 28 Chrome and Edge extensions

Over three million users are advised to disable or uninstall the extensions right away

Photo
Photo (c) seksan Mongkhonkhamsao - Getty Images
More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security firm Avast. 

Avast researchers said users who installed one of 28 third-party extensions containing hidden malicious JavaScript could be at risk of data theft and phishing attacks. 

The extensions in question are primarily designed to help users download multimedia content from social networks including Facebook, Instagram, Vimeo, or Spotify. But Avast said users could end up being redirected to a site where the attacker gets paid for user visits. In other cases, users could end up on phishing sites. 

“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the security firm explained.

Names of extensions

Avast said it found evidence that some of the malicious extensions had been active since at least December 2018. The researchers discovered the code hidden in the apps last month and reported their findings to Google and Microsoft. 

Both companies have said they are investigating the extensions. In the meantime, Avast has recommended that users disable or uninstall the extensions. 

Here is the list of Chrome extensions that contain malicious code, according to Avast: 

  • Direct Message for Instagram

  • DM for Instagram

  • Invisible mode for Instagram Direct Message

  • Downloader for Instagram

  • App Phone for Instagram

  • Stories for Instagram

  • Universal Video Downloader

  • Video Downloader for FaceBook™

  • Vimeo™ Video Downloader

  • Zoomer for Instagram and FaceBook

  • VK UnBlock. Works fast.

  • Odnoklassniki UnBlock. Works quickly.

  • Upload photo to Instagram™

  • Spotify Music Downloader

  • The New York Times News

Avast said the following Edge extensions contain malicious code: 

  • Direct Message for Instagram™

  • Instagram Download Video & Image

  • App Phone for Instagram

  • Universal Video Downloader

  • Video Downloader for FaceBook™

  • Vimeo™ Video Downloader

  • Volume Controller

  • Stories for Instagram

  • Upload photo to Instagram™

  • Pretty Kitty, The Cat Pet

  • Video Downloader for YouTube

  • SoundCloud Music Downloader

  • Instagram App with Direct Message DM

Take an Identity Theft Quiz

Get matched with an Accredited Partner

    Share your comments

    Get the news you need delivered to you

    Sign up to receive our free weekly newsletter. We value your privacy. Unsubscribe easily.

    By entering your email, you agree to sign up for consumer news, tips and giveaways from ConsumerAffairs. Unsubscribe at any time.

    You’re signed up

    We’ll start sending you the news you need delivered straight to you. We value your privacy. Unsubscribe easily.