Every day, millions of people rely on their web browsers, not only for work but also for study and daily life. Some of us also install browser extensions to utilize useful features. But what happens when those extensions are not as harmless as they seem?
In recent years, there has been a growing number of malicious browser extensions, particularly on platforms like the Chrome Web Store (CWS), affecting millions of users worldwide. Detecting these threats is not straightforward. Malicious extensions behave in many different and sometimes unpredictable ways. Another challenge is the limited availability of corresponding known malware samples, which restricts our ability to investigate these threats in depth.
In this talk, I will share insights from my study that takes a closer look at this problem. I compiled a curated dataset of 460 malicious browser extensions removed from the CWS and analyzed how they behave. By integrating both static and dynamic analysis techniques, I identified a wide range of activities that raise privacy and security concerns, classified as tracking, redirecting, ad injecting, stealing, and unwanted actions. Leveraging static analysis using CodeQL and Python, the study could detect extensions setting cookies for external domains automatically.
Actionable CTI and detection engineering village
IFEN room 1, Workshops and Detection Engineering village (Building D)