#Google Chrome security flaw results in 32 million malware downloads

Users of Google’s market-leading web browser Chrome downloaded spyware more than 30 million times in the form of free add-ons from the official Chrome Web Store, researchers have discovered.

The security weakness highlights the company’s latest failure to protect browsers as Chrome is used for more sensitive functions than just surfing the web, including email and payroll.

Most of the free extensions purported to warn users about questionable websites or to convert files from one format to another. Instead, they sucked up browsing history and data that provided credentials for access to internal business tools.

Based on the 32 million downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.

Alphabet-owned Google said it removed more than 70 of the malicious add-ons from its web store after being alerted by researchers at Awaken Security.

“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.

Google declined to explain how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.

It is unclear who was behind the effort to distribute the malware. Awake said the developers supplied fake contact information when they submitted the extensions to Google.

While deceptive extensions have been a problem for years, they are getting worse. They initially spewed unwanted advertisements, and now are more likely to install additional malicious programs or track where users are and what they are doing for government or commercial spies.

Malicious developers have been using Google’s Chrome Store as a conduit for a long time. After one in 10 submissions was deemed malicious, Google said in 2018 here it would improve security, in part by increasing human review.

With Post wires.