Malicious Extensions Can Persist on Browsers by Blocking Their Removal – Hijack Browsers to Drive YouTube Views

Author Photo
Jan 22, 2018

What you don’t see can’t alarm you. Security researchers have revealed a new batch of browser extensions that make it difficult for victims to remove them by hiding in plain sight. “What you don’t see won’t hurt you, must have been the reasoning of the threat actors who created the latest batch of extensions that make these browser hijackers even more difficult to remove,” Malwarebytes Labs wrote. These extensions redirect victims “away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers.”

Found on both Chrome and Firefox, these extensions can hijack browsers, spy on their users’ browsing activities and make it difficult for users to get rid of them. They essentially block users from removing them by closing extension settings pages when opened or redirecting users to a different page, where these extensions aren’t listed.

chrome-extensionsRelatedIf Cryptojacking Wasn’t Enough, Attackers Are Now Using “Session Replay” Scripts to Record Every Movement You Make

How do you know if you have these malicious extensions installed

Researchers have focused on an extension called “PUP.Optional.FFHelperProtection” on Firefox and “Tiempo en colombia en vivo” on Chrome, both of which appear to be focused on driving YouTube views. If you are wondering how to see if you have any of these installed, researchers have recommended looking into your browser’s history as it will show a lot YouTube activity. A restart of Chrome may also display a warning that unusual activity has been detected.

While it’s comparatively easier to remove these malicious extensions from Firefox, things get messier on Chrome.

Whenever a users tries to go to chrome://extensions/ to remove or disable extensions, the malicious extension will redirect the user to chrome://apps/?r=extensions instead. The latter wouldn’t show extensions because it’s only for installed apps. Disabling JavaScript doesn’t help either as this only applies to sites and not to internal pages. Researchers have recommended using Malwarebytes or any other antivirus or adblocker product that can detect and remove such malicious extensions.

In Firefox, you can simply run the browser in Safe mode by holding down the Shift key while starting the browser. Confirm that you want to Start in Safe Mode in the next prompt. In here, you will see all the extensions while they are not active. Since the malicious extension isn’t active, you can manually remove it using the remove button and all is done. More details about removing them from Firefox and Chrome is shared here and here, respectively.

chrome-extension-hackRelatedFour Malicious Chrome Extensions – Over Half a Million Victims

This report has only focused on two extensions that were forced on users and persist by hiding themselves. However, it also shows the need of better/safer options in browsers to remove malicious extensions that redirect users away from the internal settings page.