Fake VPN browser extension compromised more than 1.5 million people

Virus alert

The internet is home to many of the most malicious and dangerous things as, sadly, quite a few VPN users seem to have found out to their cost, according to new research from ReasonLabs.

They have uncovered three Chrome extensions, which acted as browser hijackers, cashback hack tools, and data stealers, which were posing as VPN extensions.

Even more worrying, these malicious extensions have been downloaded more than one and a half million times!

Widespread Impact of Malicious Extensions

According to ReasonLabs, the fake VPN extensions were spread through an installer that was hidden in pirated versions of popular computer games. Some of the games they have named include Grand Theft Auto, Assassin’s Creed, and The Sims 4.

These versions of the games would most likely have been torrented rather than downloaded from legitimate sites.

ReasonLabs also named the malicious extensions as netPlus (a total of 1 million installs), netSave, and netWin (500,000 installs between them).

It seems from the ReasonLabs research that the majority of these downloads took place in Russia and other Russian-speaking countries, including Ukraine, Belarus, and Kazakhstan.

There has been no suggestion as to why it is the Russian-speaking world that has been targeted although Russia’s illegal invasion of a democratic European state in Ukraine hasn’t exactly won it too many friends around the world.

Safeguarding Against Malware

ReasonLabs discovered that there were over a thousand distinct torrent files that contained the malicious installer app. Once the torrent was downloaded, the VPN extensions were installed automatically, and there was no way for the user to prevent it as it took place on the registry side and required no user input.

Once downloaded, the malicious extensions used a realistic VPN user interface with a degree of very limited functionality. They even included a paid-for subscription option, which was designed to create a sense of authenticity.

Once installed, the extensions were able to steal user data, undertake browsing hijacks, manipulate web requests, and even disable other extensions that were being used on the browser.

Another interesting function was the ability to disable cashback and coupon extensions, which are thought to be intended to eliminate competition and redirect more profits to the Chinese hackers.

According to ReasonLab’s report, this malicious extension targets over 100 cashback extensions, and some of the names mentioned include Avast SafePrice, AVG SafePrice, Honey: Automatic Coupons & Rewards, LetyShops, Megabonus, AliRadar Shopping Assistant, Yandex.Market Adviser, ChinaHelper, and Backlit.

Ahead of publishing this report, ReasonLabs informed Google of its findings, and the malicious extensions have now all been removed from the Chrome Web Store.

But with more than 1.5 million downloads, this report only serves to highlight the huge risks involved in Chrome extensions.

Users should always be careful what they are downloading, check for reviewers and information, and never torrent things like this.

If you fear you may already have downloaded one of these VPN extensions, check your extensions carefully and delete any that look dodgy. But to clear your device of any malicious extensions completely, full formatting of the hard drive might be required.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.