Google Chrome fans have been put on alert about dozens of terrifying extensions that have been downloaded hundreds of thousands of times.
The Google Chrome extensions were available on the official Chrome Web Store and are designed to appear perfectly innocent.
However, they have the secret ability to record and replay everything a Google Chrome user does when they visit a website.
The 89 extensions were installed on over 420,000 Google Chrome browsers and were discovered by security experts Trend Micro.
Trend Micro fraud analyst Joseph Chen explained the extensions can record and replay every mouse click, scroll and keystroke a Google Chrome user performs.
He said: “These scripts are injected into every website the user visits.
“These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things.”
The family of Google Chrome extensions, which Trend Micro labelled Droidclub, can also use affected browsers to mine for the cryptocurrency Monero.
You can find the full list of affected Google Chrome extensions by clicking here.
Google has now removed these malicious extensions from the official Chrome Webstore.
But Trend Micro explained that there were other, nefarious ways that these dangerous add-ons spread.
One way that the Droidclub extensions got installed on a victim’s machine was through malicious online advertising.
Trend Micro explained: “Malicious ads would be used to display false error messages asking users to download an extension onto their browser.
“If people click OK here, the Chrome browser will download the extension from the normal Chrome web store in the background.
“It then asks the user if they want to go ahead and install the extension, while listing the required privileges of the extension.
“The extension, once installed, checks if the C&C server is online, downloads any needed configuration code, and reports back to the C&C server.”
Once installed on a machine, the Droidclub apps made it difficult for a user to delete them and report it as malicious.
Trend Micro explained if the extensions detected a user was trying to report it to Google, it would then redirect the user to a different page.
If users then tried to remove the extension via Chrome’s extension management page, it would then direct it to a fake page.
This would lead the user to believing the extension had been uninstalled, even if it wasn’t, and it would remain on Google Chrome.
Thankfully, Google has now disabled the DroidClub extensions from all affected Chrome browsers.
In a statement they said: “We’ve removed the affected extensions from the Chrome Web Store and have disabled them on devices of all affected Chrome users.
“Keeping the extensions ecosystem free from malware and abuse has always been a priority and we are always working on closing gaps to address new abuse patterns that emerge. Currently, our security systems block more than 1,000 malicious extensions per month.
“If an extension looks suspicious, we encourage users to report it as potential abuse through the chrome web store page so we can review it in greater depth.”