Avast researchers reported that three million users installed 28 malicious Chrome or Edge extensions that could perform several malicious operations.

Avast Threat Intelligence researchers spotted malicious Chrome and Edge browser extensions that were installed by over 3 million users.

The extensions were designed to steal user’s data (i.e. birth dates, email addresses, and active devices) and redirect the victims to ads and phishing sites.

Many of these applications are still available on the Chrome Web Store and the Microsoft Edge Add-ons portal. 

“The extensions which aid users in downloading videos from these platforms include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, and other browser extensions on the Google Chrome Browser, and some on Microsoft Edge Browser.” reads the analysis published by Avast. “The researchers have identified malicious code in the Javascript-based extensions that allows the extensions to download further malware onto a user’s PC. “

The tainted extensions pose as helper add-ons for Vimeo, Instagram, Facebook, and other popular online services.

Experts pointed out that the malware is quite difficult to detect since its ability to “hide itself,” it is able to detect if the user is googling one of its domains or if the user is a web developer and in these cases, it won’t perform any malicious activities on the victim’s browser. It is interesting to note that the malware avoids infecting web developers because they could unmask the malicious code in the extensions.

The malicious extensions are part of a campaign aimed at hijacking user traffic for financial motivation.

“Avast researchers believe the objective behind this is to monetize the traffic itself. For every redirection to a third party domain, the cybercriminals would receive a payment.” Avast said.

The extensions were discovered in November, but experts highlighted that some of them had been active since at least December 2018 and had tens of thousands of installs. To evade detection the malicious extensions only start to exhibit malicious behavior days after installation

Avast shared its findings with both Google and Microsoft that are scrutinizing the extensions.