Trends and Lessons from Three Years Fighting Malicious Extensions

Nav Jagpal
Eric Dingle
Jean-Philippe Gravel
Niels Provos
USENIX Security Symposium (2015)
Google Scholar

Abstract

In this work we expose wide-spread efforts by criminals to abuse the Chrome Web Store as a platform for distributing malicious extensions. A central component of our study is the design and implementation of WebEval, the first system that broadly identifies malicious extensions with a concrete, measurable detection rate of 96.5%. Over the last three years we detected 9,523 malicious extensions: nearly 10% of every extension submitted to the store. Despite a short window of operation---we removed 50% of malware within 25 minutes of creation---a handful of under 100 extensions escaped immediate detection and infected over 50 million Chrome users. Our results highlight that the extension abuse ecosystem is drastically different from malicious binaries: miscreants profit from web traffic and user tracking rather than email spam or banking theft.