Malicious Extensions Can Persist on Browsers by Blocking Their Removal – Hijack Browsers to Drive YouTube Views
What you don't see can't alarm you. Security researchers have revealed a new batch of browser extensions that make it difficult for victims to remove them by hiding in plain sight. "What you don’t see won’t hurt you, must have been the reasoning of the threat actors who created the latest batch of extensions that make these browser hijackers even more difficult to remove," Malwarebytes Labs wrote. These extensions redirect victims "away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers."
Found on both Chrome and Firefox, these extensions can hijack browsers, spy on their users' browsing activities and make it difficult for users to get rid of them. They essentially block users from removing them by closing extension settings pages when opened or redirecting users to a different page, where these extensions aren't listed.
How do you know if you have these malicious extensions installed
Researchers have focused on an extension called "PUP.Optional.FFHelperProtection" on Firefox and "Tiempo en colombia en vivo" on Chrome, both of which appear to be focused on driving YouTube views. If you are wondering how to see if you have any of these installed, researchers have recommended looking into your browser's history as it will show a lot YouTube activity. A restart of Chrome may also display a warning that unusual activity has been detected.
While it's comparatively easier to remove these malicious extensions from Firefox, things get messier on Chrome.
In Firefox, you can simply run the browser in Safe mode by holding down the Shift key while starting the browser. Confirm that you want to Start in Safe Mode in the next prompt. In here, you will see all the extensions while they are not active. Since the malicious extension isn't active, you can manually remove it using the remove button and all is done. More details about removing them from Firefox and Chrome is shared here and here, respectively.
This report has only focused on two extensions that were forced on users and persist by hiding themselves. However, it also shows the need of better/safer options in browsers to remove malicious extensions that redirect users away from the internal settings page.