Skip to content Skip to menu Skip to footer
Incident response

Hidden in Plain Sight: The World of Bogus Browser Extensions and Apps

Image related to Hidden in Plain Sight: The World of Bogus Browser Extensions and Apps

Malicious browser extensions and third-party applications are becoming a growing threat to organizations. By disguising malicious code within seemingly legitimate tools, attackers exploit trusted platforms like the Chrome Web Store, Google Workspace Marketplace, and other cloud platforms. This known trend still poses significant risks, especially for small and mid-sized businesses (SMBs), which often lack resources to detect and respond to these sophisticated threats. These attacks can lead to stolen credentials, financial losses and reputational damage, making it crucial to stay on board with the issue.


Mikael Artashesyan, Technical Lead for DFIR at CyXcel, examines this threat and offers actionable guidance on how organizations can become better prepared.

Case Study 1: The 2020 Chrome Extension Campaign

Back in 2020, Awake Security exposed over 100 malicious Chrome extensions that somehow passed Google’s checks. More than 32 million people downloaded these extensions, thinking they were productivity boosters or ad blockers. 

In reality, these extensions were designed to steal data. Google eventually removed them, but the incident showed how easy it is for attackers to exploit trusted platforms. It also revealed that automated screening processes alone are not enough to stop determined cybercriminals. 


Case Study 2: Fake Apps on Google Workspace Marketplace

Another example involves attackers copying popular CRM tools on the Google Workspace Marketplace. These fake apps tricked users into granting excessive permissions. Once access was granted, attackers could read corporate emails and access sensitive documents. 

Breaches like this disrupt workflows and damage trust in legitimate tools. Worse, such breaches create vulnerabilities in supply chains, potentially impacting a business’s clients and partners.

These examples highlight a clear pattern: attackers manipulate users’ trust in familiar platforms and apps. It’s a strategy that works well and highlights the need for stronger vetting and user awareness. 

 

How Attackers Make Their Tools Look Legitimate

Threat Actors use smart tricks to make their fake apps and extensions seem genuine. These techniques are getting so good that even pros can be fooled. 

The attackers avoid drawing attention to their tools until it’s too late. They copy logos, names and descriptions, sometimes with tiny tweaks like a misspelled word (typosquatting). Most users won’t notice the difference. For example, a legitimate-looking extension might be named “DataSync” instead of “Data Sync.” Even the most convincing fake tools often have subtle red flags. 


Why Traditional Security Measures Aren’t Enough 

Standard defences like firewalls and antivirus software are still important, but they’re not enough to tackle these types of threats. Threat actors are finding ways to slip through cracks that traditional tools don’t address.

Additionally, security teams are often playing catch-up, trying to address threats post-incident.


Root Causes of the Problem

Three top causes are notable:

  • Limited oversight in Small Businesses: Smaller companies often lack strict IT policies, letting employees install extensions and apps without approval. This opens the door for malicious tools to sneak into daily workflows. This lack of oversight is a major vulnerability, as their smaller size doesn’t shield them from becoming targets.
  • Lack of Awareness: Employees often install tools without verifying their source or permissions.
  • SMBs’ Limited Resources: Many SMBs lack dedicated IT staff, making it harder to monitor and audit installed applications.


Gaps in Existing Understanding

  • False Sense of Security: Many organizations assume that tools available in official repositories are safe, overlooking red flags like excessive permissions.
  • Delayed Detection: Malicious extensions often activate harmful features only after prolonged use, complicating detection and response efforts.
  • Reactive Approaches: Many SMBs only address threats after a breach occurs, rather than adopting proactive measures.

 


A Better Approach


Restrict Installs: Use admin tools such as Google Workspace or Microsoft 365 to limit what employees can download. Set clear policies for approved apps and extensions.


Employee Education: Train employees to recognize suspicious permissions and unverified developers, and stress the importance of verifying apps before installation. 


Regular Clean-ups: Schedule audits to remove unused or suspicious extensions. This reduces the chances of old vulnerabilities being exploited.


Enhanced Threat Intelligence: Invest in endpoint protection that can flag unusual activity from third-party apps. Proactive monitoring tools can catch problems early. To stay updated on evolving attack vectors, leverage external expertise.

 

The time to act is now, as attackers continuously refine their tactics, and the risks will only increase if left unchecked.

 

[Photo by Growtika on Unsplash]

We Can Help

SMBs need to prioritize a layered security approach that includes proactive monitoring, employee training, and stricter control over installed tools. We help organizations implement these measures efficiently, ensuring long-term protection against evolving threats. 

For more information, or to speak with one of our team about how we can help your business, contact us today.