Malicious Chrome, Edge extensions manipulating Google search results

According to Avast, these extensions affected 3 million users worldwide. Here’s what we know so far and which extensions were involved.
Malicious Chrome, Edge extensions manipulating Google search results

According to Avast, these extensions affected 3 million users worldwide.

Google’s Chrome browser is the most used web browser in the world while Microsoft’s Edge browser is the least used one. Yet, it comes pre-installed on all Windows devices. As of 2020 1.2 billion Windows PCs in use worldwide meaning both browsers are lucrative targets for cybercriminals and the latest report from IT and software security firm Avast proves it.

The IT security researchers at Avast have discovered a vast network of malicious Chrome and Edge browser extensions, which are hijacking clicks to links in search results to display arbitrary URLs such as phishing websites and malicious ads.

This, according to researchers, proves that even those extensions that we install from official browser stores cannot be trusted.

“We usually trust that the extensions installed from official browser stores are safe. But that is not always the case as we recently found,” Avast researchers revealed.

See: DuckDuckGo study claims Google Incognito searches are not private

28 rogue extensions hijacking Google search results

Avast has dubbed the malicious extensions CacheFlow. There are 28 extensions identified to be malicious, including:

  • VK Unblock
  • Vimeo Video Downloader,
  • Video Downloader for Facebook,
  • Instagram Story Downloader.

Some of the affected countries include:

  • France
  • Ukraine
  • Brazil
  • Spain
  • Russia
  • Argentina
  • United States

However, acting quickly upon Avast’s report; Google and Microsoft took down all the backdoored browser extensions by Dec 18, 2020. In total, the extensions affected 3 million users worldwide.

Malicious Chrome, Edge extensions manipulating Google search results

Attackers Employed New Sneaky Tactics

The rogue extensions used sneaky tricks to hide their actual functions, which is to create a link with an attacker-controlled C&C server by abusing Leverage Cache-Control HTTP header as a covert channel for retrieving commands from the attacker. The CacheFlow sequence starts when a user downloads one of the extensions.

After installation, the add-on sends out analytics requests, which resembles Google Analytics. The request is sent to a remote server. It beams back a specially designed Cache-Control header that contains hidden commands for retrieving a second-stage payload. This payload functions as a downloader for the final JavaScript payload. Avast researchers believe that this was a new technique.

“CacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests. We believe this is a new technique,” explained researchers.

Add-ons Focus on Collecting Google Data

The JavaScript malware specifically collects data from Google, including birth dates, device activity, geolocation, etc. Avast researchers Jan Vojtěšek and Jan Rubín revealed that for retrieving birth date, CacheFlow made an XHR request to a particular address ( and parsed out the date from the response.

The payload’s final task was to inject another JavaScript malware into each tab on the browser. This allows the attacker to hijack clicks that lead to legit websites and change Google, Yahoo, or Bing search results to redirect the victim to a different URL.

Campaign May Have Been Active Since 2017

According to Avast researchers, the many different tricks the malware authors employed to evade detection could have helped them infect millions of devices since the campaign is active since October 2017. Through these tactics, the extensions could execute malicious code in the background stealthily.

Malicious Chrome, Edge extensions manipulating Google search results

It is worth noting that the add-ons didn’t infect web developers as Avast assessed that the extensions checked whether the user had accessed locally-hosted sites like .local, .dev, or .localhost. Moreover, the extensions didn’t exhibit malicious behavior in the first three days after installation.

Manipulating Google Searchers

This however is not the first time when Google search results have been manipulated by hackers to drop malware or steal data. In 2017, crooks were found exploiting Google search results to distribute the infamous and nasty Zeus Panda banking trojan.

In another incident, in June 2020, hackers manipulated Google searches to spread Shlayer and Bundlore malware against macOS. Nevertheless, the take away from this is that do not click on every link that is indexed in Google search or any other search engine. 

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Related Posts