McAfee published a report on Monday, August 29, detailing five extensions of the chrome browser malicious programs available in the Chrome Web Store and that have malware.
What are these extensions: “Netflix Party”, “FlipShope – Price Tracker Extension”, “Full Page Screenshot Capture – Screenshotting” and “AutoBuy Flash Sales”. Each of them had more than 20,000 downloads, with more than 1,400,000 downloads combined.
Each extension listens for page changes in the browser, and each time the user navigates to a new page, the extension sends the page’s URL to a remote server to check if the affiliate earning code can be injected. Many sites (including How To Geek) include affiliate code in links to shopping websites, sometimes earning them a small portion of the revenue. However, most of the offending extensions are not related to purchasing items at all, and are injecting the code to all possible pages.
McAfee also found evidence that some of the extensions wait 15 days after installation to start injecting affiliate code, presumably to avoid initial detection.
The most popular Netflix Party extension, which had over 800,000 users, has been removed from the Chrome Web Store. The rest of them are still active.