Google removed 49 extensions from the Internet-store for Chrome browser. These apps were distributed under the guise of utilities for working with cryptocurrency wallets, but they contained malicious code.
Harry Denley — director and researcher of MyCrypto platform security, who has discovered these extensions, considers that all of them have been created by one person or a group, presumably from Russia.
“All the presented extensions function equally, they differ only by focus on the different categories of users”, — Denley informed.
All 49 extensions were distributed under the guise of official utilities for working with the next cryptocurrency wallets: KeepKey, Exodus, Ledger, Trezor, Jaxx, MetaMask, MyEtherWallet, Electrum. They skillfully copied the interface of these extensions and functioned almost identically. But entered user`s data, including private keys and mnemonic phrases, were sent to attackers.
Denley decided to conduct an experiment and on one of fraudulent apps he entered data of his test wallet. As a result, he discovered that money from the wallet did not disappear immediately:
“Likely, attackers wait for a larger sum on the wallet, or they have not managed to automate the process yet and they have to empty wallets manually”.
The researcher pointed at three public cases of cryptocurrency thefts, where users became victims of these 49 extensions, according to him. He has claimed that intruders will surely try again to add malicious extensions to the Chrome Web Store.
Denley encouraged users to report any suspicious extensions that could cause a wallet hack through the CryptooveredDB website. This will help you track malware extensions faster and remove them.