Researchers say that around 3 million people worldwide have been affected.
Threat Intelligence researchers from Avast this week announced that they have found 28 extensions for the Google Chrome and Microsoft Edge browsers that contain malware.
According to Avast, the add-ons presented themselves to users as a way to download pictures, videos, or other content from popular social media sites. These sites include Facebook, Instagram, Vimeo, and Spotify.
At present, they say, many of the malicious extensions remain available for download from Google and Microsoft.
Related: Are browser extensions still safe to use?
Making popular sites dangerous
Avast published their findings in a blog post this week. They gave details on how the malware operates.
The malware has the functionality to redirect user’s traffic to ads or phishing sites, they say. It can also steal people’s personal data, such as birth dates, email addresses, and active devices.
According to the app stores’ download numbers, Avast estimates that the malware has affected around three million people worldwide.
The infected extensions include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock. They also include other browser extensions on the Google Chrome Browser, and some on Microsoft Edge Browser.
The actors exfiltrate and collect the user’s personal information, according to Avast. This includes birth dates, email addresses, and device information. That includes first sign in time, last login time, name of the device, OS, browser version, even IP addresses.
How they did it
“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, Malware Researcher at Avast.