'Long con' browser extensions infect 2.3M Chrome and Edge users - here's what you need to know

A sophisticated and alarming malware campaign has been enacted through web browser extensions, with the result that 2.3 million users across both Chrome and Edge have fallen victim to this large-scale scam.

2

Koi Security carried out an investigation into a color picker extension (software that lets you copy any color from a website, if you want to use that particular shade in a project of your own) and discovered the 'RedDirection' malware campaign behind it (and 17 other extensions for Chrome and Edge).

The gist of it is that these extensions are essentially the software equivalent of a long con. They have been around for a long time, are professionally implemented, and do what they say on the tin - and they do it well. As such, the extensions have accrued a whole load of positive reviews, Google certification (the verified badge), plus a ton of installs.

When you see all that, you naturally think that these extensions are genuine and trustworthy. And indeed they were, for a long time, until at some point, the developer applied an update that sneaked malware into the code.

Koi explains in a blog post (flagged by The Register):

"Due to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed silently for over 2.3 million users across both platforms, most of whom never clicked anything. No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance malware."

In other words, the way these updates are applied by Google and Microsoft is built for scale and seamlessness, not security. Clearly, these cases brought to light by Koi represent a worrying long-term deception, with trusted developers turning out to be bad actors.

It's a lot of effort to go to, of course, but then the results - 2.3 million infections - speak for themselves (sadly).

Should you be worried at this point, these are the extensions that are part of this campaign, as listed by The Register. First off, here are the Chrome add-ons complete with their ID:

• kgmeffmlnkfnjpgmdndccklfigfhajen - Emoji Keyboard Online - copy & paste your emoji
• dpdibkjjgbaadnnjhkmmnenkmbnhpobj - Free Weather Forecast
• gaiceihehajjahakcglkhmdbbdclbnlf - Video Speed Controller - Video manager
• mlgbkfnjdmaoldgagamcnommbbnhfnhf - Unlock Discord - VPN Proxy to Unblock Discord Anywhere
• eckokfcjbjbgjifpcbdmengnabecdakp - Dark Theme - Dark Reader for Chrome
• mgbhdehiapbjamfgekfpebmhmnmcmemg - Volume Max - Ultimate Sound Booster
• cbajickflblmpjodnjoldpiicfmecmif - Unblock TikTok - Seamless Access with One-Click Proxy
• pdbfcnhlobhoahcamoefbfodpmklgmjm - Unlock YouTube VPN
• eokjikchkppnkdipbiggnmlkahcdkikp - Color Picker, Eyedropper - Geco colorpick
• ihbiedpeaicgipncdnnkikeehnjiddck - Weather

And these are the Edge extensions to watch out for:

• jjdajogomggcjifnjgkpghcijgkbcjdi - Unlock TikTok
• mmcnmppeeghenglmidpmjkaiamcacmgm - Volume Booster - Increase your sound
• ojdkklpgpacpicaobnhankbalkkgaafp - Web Sound Equalizer
• lodeighbngipjjedfelnboplhgediclp - Header Value
• hkjagicdaogfgdifaklcgajmgefjllmd - Flash Player - Games emulator
• gflkbgebojohihfnnplhbdakoipdbpdm - YouTube Unblocked
• kpilmncnoafddjpnbhepaiilgkdcieaf - SearchGPT - ChatGPT for Search Engine
• caibdnkmpnjhjdfnomfhijhmebigcelo - Unlock Discord

If you have any of those extensions installed, the obvious first step is to remove them from your browser - then clear your cache. Once you've ditched them, it makes sense to run a virus scan to check your device for any infections.