Chrome extension pesters you to install it and then spies on your browsing history, sending it to a remote server

Jan 26, 2016 23:25 GMT  ·  By

A malicious Google Chrome extension designed to spy on your browsing habits has some of the most annoying installation popups you have seen in the past few years.

Discovered by Malwarebytes researchers while investigating a malvertising campaign, this extension had a very aggressive method of forcing users to install it.

The malvertising campaign's operators created a website where they constantly pushed any user that was unlucky enough to reach that particular page to install the malicious extension via a constant barrage of popups.

As soon as the user closed one, another one popped up in its place. When the user moved their mouse near the browser's URL bar or the close button, another, much bigger modal dialog was shown, and the cherry on top, the site also played an annoying audio message in the background.

Annoying Google Chrome extension is annoying

Malwarebytes' team made a video (see below) of this extension's behavior and also went along with it and installed the extension, at that time available from Google's Web Store under the iCalc name.

Once installed, there was no calculator feature (big surprise!), but the researchers discovered that, under the hood, iCalc had secretly set up a proxy and rerouted all the browser traffic through a remote server.

The reason a cyber-crook would do this is to log all the user's browsing habits, and then sell this information to online advertisers.

Malwarebytes reported the extension, but not before it reached over 1,000 installations, as there were users who probably didn't know they could close Google Chrome from their Task Manager and couldn't escape from the current page.

As soon as the iCalc extension was pulled from the Google Chrome Web Store, the malvertising campaign's authors started to push another malicious extension instead, but this time, only aimed at Russia users.