In a troubling discovery, cybersecurity researchers at ReasonLabs have unearthed a series of deceptive VPN extensions that successfully targeted and infected more than 1.5 million devices. These fake VPNs cleverly leveraged torrents of popular video games, such as Grand Theft Auto, The Sims 4, Heroes 3, and Assassin’s Creed, to infiltrate unsuspecting users who sought these games through unofficial sources.
The trojan installers, camouflaged as Electron apps with sizes ranging from 60MB to 100MB, managed to fly under the radar by mimicking the appearance of legitimate VPNs during their initial stages. Discovered within more than 1,000 torrent files, these deceptive extensions created a false sense of security for users engaging with unauthorized game downloads.
Operating stealthily, the installation process of these malicious extensions occurred automatically, requiring no user interaction. To avoid detection, the installer diligently checked for the presence of anti-malware software on the infected device. Once integrated into a system, the extensions exhibited some authentic VPN functionalities and even offered paid subscription tiers, further masking their true malicious nature.
Three variants of these deceptive extensions—netPlus, netSave, and netWin—were identified, with netPlus alone accumulating over 1 million users. Despite their initial appearance of legitimacy, these extensions abused the ‘offscreen’ permission, allowing them to execute scripts through the Offscreen API. This granted the malicious actors behind the extensions comprehensive access to the current Document Object Model (DOM) of the web page, facilitating the theft of sensitive user data.
Beyond this, the extensions demonstrated the capability to hijack browsers, manipulate web requests, and automatically disable other extensions. In a particularly sophisticated move, the malware even targeted over 100 legitimate cashback extensions, diverting profits from these extensions to the criminals orchestrating the operation.
Responding swiftly to the threat, Google removed all three extensions from the Chrome Web Store upon being alerted by ReasonLabs. However, this incident serves as a stark reminder of the persistent security risks associated with online extensions. It reinforces the importance of user caution and diligence, particularly when considering third-party extensions obtained through unofficial channels. As the threat landscape evolves, users must remain vigilant and prioritize security best practices to safeguard their digital environments.
